Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

Affected Packages

Go github.com/mattermost/mattermost-server

Affected versions: 9.6.0-rc1 (fixed in 9.6.1)

Go github.com/mattermost/mattermost-server

Affected versions: 9.5.0 (fixed in 9.5.3)

Go github.com/mattermost/mattermost-server

Affected versions: 8.1.0 (fixed in 8.1.12)

Related CVEs

CVE-2024-4198

Key Information

GHSA ID

GHSA-5qx9-9ffj-5r8f

Published

April 26, 2024 9:30 AM

Last Modified

April 26, 2024 7:09 PM

CVSS Score

2.5 /10

Primary Ecosystem

Primary Package

github.com/mattermost/mattermost-server

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 7, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.