How is CVE-2026-7387 exploited?

Network reachability (required): The vulnerable API endpoints are exposed over the network, so an attacker must be able to reach the Mattermost server via HTTP/S. Authentication (required): Any low-privilege Mattermost account with group-link permissions is sufficient; no admin credentials are needed. Victim interaction (not-required): The attacker sends crafted API requests directly; no action from another user is required. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-7387?

Reads sensitive channel and team membership data accessible to the newly elevated admin role. Modifies team and channel settings, membership lists, and permissions for any group members the attacker promotes. Grants persistent admin-level access that survives password resets or session expiry until the privilege assignment is revoked. Disrupts organizational access controls by silently elevating unprivileged users to team or channel administrator.

Back to search

HIGHCVE-2026-7387Published 2026-06-12Modified 2026-06-13CNA Mattermost

CVE-2026-7387: Mattermost group syncable endpoints allow privilege escalation via scheme_admin

Q: What is CVE-2026-7387?

This is a privilege escalation vulnerability in Mattermost, a self-hosted team messaging platform. The flaw is reachable over the network and requires only a low-privilege account; no victim interaction is needed. A user with group-link permissions can send crafted API requests to the group syncable link and patch endpoints to set the scheme_admin flag without proper authorization checks, elevating themselves or other group members to team or channel administrator. Patched-image rebuilds at versions 10.11.16, 10.11.17, 11.5.5, 11.6.2, and 11.7.0 are available on HarborGuard for affected environments.

Q: How is CVE-2026-7387 fixed?

A patched-image rebuild at the fix versions (10.11.16, 10.11.17, 11.5.5, 11.6.2, or 11.7.0) becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard runs a rebuild and regression test and opens a pull request against affected workloads automatically.

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 10.11.16
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in Mattermost, a self-hosted team messaging platform. The flaw is reachable over the network and requires only a low-privilege account; no victim interaction is needed. A user with group-link permissions can send crafted API requests to the group syncable link and patch endpoints to set the scheme_admin flag without proper authorization checks, elevating themselves or other group members to team or channel administrator. Patched-image rebuilds at versions 10.11.16, 10.11.17, 11.5.5, 11.6.2, and 11.7.0 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-7387 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built Mattermost images.

Available

Triage

HarborGuard scores this issue at CVSS 8.8 (HIGH) using the upstream vector and can apply per-environment compliance policy weighting to adjust priority and route the finding to the appropriate team or inbox within each customer organization.

Available

Patch

A patched-image rebuild at the fix versions (10.11.16, 10.11.17, 11.5.5, 11.6.2, or 11.7.0) becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard runs a rebuild and regression test and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable API endpoints are exposed over the network, so an attacker must be able to reach the Mattermost server via HTTP/S.
AuthenticationRequired
Any low-privilege Mattermost account with group-link permissions is sufficient; no admin credentials are needed.
Victim interactionNot required
The attacker sends crafted API requests directly; no action from another user is required.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required.

Blast Radius

Reads sensitive channel and team membership data accessible to the newly elevated admin role.
Modifies team and channel settings, membership lists, and permissions for any group members the attacker promotes.
Grants persistent admin-level access that survives password resets or session expiry until the privilege assignment is revoked.
Disrupts organizational access controls by silently elevating unprivileged users to team or channel administrator.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication and flags any image running an affected Mattermost version across connected registries and pipelines. The finding is scored at CVSS 8.8 HIGH and routed according to each organization's compliance policy. Where compliance policy permits, auto-remediation customers receive a rebuilt image at the appropriate fix version (10.11.16, 10.11.17, 11.5.5, 11.6.2, or 11.7.0), a regression-test run, and a pull request opened against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Organizations not using auto-remediation can review the flagged finding in the HarborGuard dashboard and initiate a manual rebuild at the fix version.

See how HarborGuard automates this

Fix available

10.11.1610.11.1711.5.511.6.211.7.0

Affected packages

Mattermost / Mattermost
≤ 11.6.1 · ≤ 11.5.4 · ≤ 10.11.15 · ≤ 10.11.16
Fixed in 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

MMSA-2026-00665

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available