Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Mattermost: Authenticated User Can Bypass Single Sign-On Requirements
CVE-2026-0999
GHSA-3c9r-7f29-qp32
Summary
Mattermost versions 11.1 through 11.1.2, 10.11 through 10.11.9, and 11.2 through 11.2.1 have a security issue that could allow an authenticated user to log in without going through Single Sign-On (SSO) even when it's required. This could potentially let someone access accounts they shouldn't. Update to a fixed version to fix this issue.
What to do
- Update github.com mattermost to version 8.0.0-20251212052346-61651b0df7ea.
- Update github.com mattermost to version 5.3.2-0.20251212052346-61651b0df7ea.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | mattermost | <= 8.0.0-20251212052346-61651b0df7ea | 8.0.0-20251212052346-61651b0df7ea |
| github.com | mattermost | > 11.1.0 , <= 11.1.3 | – |
| github.com | mattermost | > 10.11.0 , <= 10.11.10 | – |
| github.com | mattermost | > 11.2.0 , <= 11.2.2 | – |
| github.com | mattermost | <= 5.3.2-0.20251212052346-61651b0df7ea | 5.3.2-0.20251212052346-61651b0df7ea |
| mattermost | mattermost_server | > 10.11.0 , <= 10.11.10 | – |
| mattermost | mattermost_server | > 11.1.0 , <= 11.1.3 | – |
| mattermost | mattermost_server | > 11.2.0 , <= 11.2.2 | – |
Original title
Mattermost fails to properly validate login method restrictions
Original description
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548
nvd CVSS3.1
4.3
Vulnerability type
CWE-303
Published: 16 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026