{"api_version":"1","generated_at":"2026-07-16T03:04:50+00:00","cve":"CVE-2026-10085","urls":{"html":"https://cve.report/CVE-2026-10085","api":"https://cve.report/api/cve/CVE-2026-10085.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-10085","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-10085"},"summary":{"title":"Ordinary group/direct message member can enable group_constrained and remove all channel participants","description":"Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct message member to remove all participants from the conversation via the channel patch API.. Mattermost Advisory ID: MMSA-2026-00688","state":"PUBLISHED","assigner":"Mattermost","published_at":"2026-07-13 09:16:22","updated_at":"2026-07-14 13:19:08"},"problem_types":["CWE-862","CWE-862 CWE-862: Missing Authorization"],"metrics":[{"version":"3.1","source":"responsibledisclosure@mattermost.com","type":"Secondary","score":"5.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"5.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","version":"3.1"}}],"references":[{"url":"https://mattermost.com/security-updates","name":"https://mattermost.com/security-updates","refsource":"responsibledisclosure@mattermost.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-10085","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-10085","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"affected 11.7.0 11.7.2 semver","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"affected 11.6.0 11.6.4 semver","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"affected 10.11.0 10.11.19 semver","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 11.8.0","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 11.7.3","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 11.6.5","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 10.11.20","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher.","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"se1en","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"10085","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mattermost","cpe5":"mattermost_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"10085","cve":"CVE-2026-10085","epss":"0.001700000","percentile":"0.065930000","score_date":"2026-07-14","updated_at":"2026-07-15 00:14:56"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-10085","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-13T13:56:53.842683Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-13T13:57:00.893Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Mattermost","vendor":"Mattermost","versions":[{"lessThanOrEqual":"11.7.2","status":"affected","version":"11.7.0","versionType":"semver"},{"lessThanOrEqual":"11.6.4","status":"affected","version":"11.6.0","versionType":"semver"},{"lessThanOrEqual":"10.11.19","status":"affected","version":"10.11.0","versionType":"semver"},{"status":"unaffected","version":"11.8.0"},{"status":"unaffected","version":"11.7.3"},{"status":"unaffected","version":"11.6.5"},{"status":"unaffected","version":"10.11.20"}]}],"credits":[{"lang":"en","type":"finder","value":"se1en"}],"descriptions":[{"lang":"en","value":"Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct message member to remove all participants from the conversation via the channel patch API.. Mattermost Advisory ID: MMSA-2026-00688"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862: Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-13T08:05:42.370Z","orgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","shortName":"Mattermost"},"references":[{"name":"MMSA-2026-00688","tags":["vendor-advisory"],"url":"https://mattermost.com/security-updates"}],"solutions":[{"lang":"en","value":"Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."}],"source":{"advisory":"MMSA-2026-00688","defect":["https://mattermost.atlassian.net/browse/MM-69050"],"discovery":"EXTERNAL"},"title":"Ordinary group/direct message member can enable group_constrained and remove all channel participants","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","assignerShortName":"Mattermost","cveId":"CVE-2026-10085","datePublished":"2026-07-13T08:05:42.370Z","dateReserved":"2026-05-29T11:54:45.722Z","dateUpdated":"2026-07-13T13:57:00.893Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-13 09:16:22","lastModifiedDate":"2026-07-14 13:19:08","problem_types":["CWE-862","CWE-862 CWE-862: Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"responsibledisclosure@mattermost.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":2.5}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-13T13:56:53.842683Z","id":"CVE-2026-10085","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"10.11.0","versionEndExcluding":"10.11.20","matchCriteriaId":"806B772A-4575-47F4-BD6B-7422C9045190"},{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"11.6.0","versionEndExcluding":"11.6.5","matchCriteriaId":"2B2D3A05-5A6F-4121-80BE-6DC87A30C354"},{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"11.7.0","versionEndExcluding":"11.7.3","matchCriteriaId":"61277B68-8856-4C8A-97CC-E37742682A4B"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"10085","Ordinal":"1","Title":"Ordinary group/direct message member can enable group_constraine","CVE":"CVE-2026-10085","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"10085","Ordinal":"1","NoteData":"Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct message member to remove all participants from the conversation via the channel patch API.. Mattermost Advisory ID: MMSA-2026-00688","Type":"Description","Title":"Ordinary group/direct message member can enable group_constraine"}]}}}