Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

Affected Packages

Go github.com/mattermost/mattermost-server

Affected versions: 9.5.0 (fixed in 9.5.3)

Go github.com/mattermost/mattermost-server

Affected versions: 8.1.0 (fixed in 8.1.12)

Related CVEs

CVE-2024-4195

Key Information

GHSA ID

GHSA-5fh7-7mw7-mmx5

Published

April 26, 2024 9:30 AM

Last Modified

April 26, 2024 7:06 PM

CVSS Score

2.5 /10

Primary Ecosystem

Primary Package

github.com/mattermost/mattermost-server

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.