CVE-2026-8823— User Manager can demote bot accounts to guest without bot-management permission
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8823
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
User Manager can demote bot accounts to guest without bot-management permission
Source: NVD (National Vulnerability Database)
Vulnerability Description
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Mattermost | Mattermost | 11.7.0 ~ 11.7.0 | - |
II. Public POCs for CVE-2026-8823
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-8823
请登录查看更多情报信息。
Same Patch Batch · Mattermost · 2026-06-22 · 6 CVEs total
| CVE-2026-6062 | 6.4 MEDIUM | IDOR in Jira plugin subscription edit endpoint |
| CVE-2026-6673 | 6.4 MEDIUM | Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pen |
| CVE-2026-5139 | 5.4 MEDIUM | GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration |
| CVE-2026-9162 | 4.3 MEDIUM | Global session revocation does not invalidate active WebSocket connections |
| CVE-2026-8074 | 3.8 LOW | Improper Permission Check Allows User Manager to Deactivate Bot Accounts |
IV. Related Vulnerabilities
Same product: Mattermost
- CVE-2026-4339
SSRF via unvalidated attachment URLs in Mattermost Agents pl - CVE-2026-9699
Mattermost Agents plugin logs unsanitized OpenAI API keys on - CVE-2026-3472
Markdown image rendering bypass in AI bot tool result posts - CVE-2026-6062
IDOR in Jira plugin subscription edit endpoint - CVE-2026-6673
Mattermost Jira plugin had unauthenticated {{/ac/installed}}
Same vendor: Mattermost
- CVE-2026-4339
SSRF via unvalidated attachment URLs in Mattermost Agents pl - CVE-2026-9699
Mattermost Agents plugin logs unsanitized OpenAI API keys on - CVE-2026-3472
Markdown image rendering bypass in AI bot tool result posts - CVE-2026-13426
Client4 fails to validate path parameters - CVE-2026-2299
Improper Access Control in Mattermost Google Drive Plugin Fi
Same weakness: CWE-863
- CVE-2026-9640
LXD Snapshot Import Privilege Escalation Vulnerability - CVE-2026-54091
File Browser: Incorrect access control in public directory s - CVE-2026-54096
File Browser: Improper Access Control Occurs via Pre-Created - CVE-2026-54573
Authorization Bypass in API Key/OAuth Scopes via Path Parsin - CVE-2026-0934
Incorrect Authorization in GitLab
V. Comments for CVE-2026-8823
No comments yet