Mattermost fails to validate user's authentication method when processing account auth type switch

GHSA-rv67-7w2g-7976 · CVE-2026-22545 · GO-2026-4786

Published Mar 16, 2026 · Modified Mar 23, 2026

Description

Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID: MMSA-2026-00583

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-22545
WEB https://github.com/mattermost/mattermost/commit/ced9a56e3988fe9fd4559d45f9971dbd562e2218
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes