A critical authorization flaw in Mattermost allows users to escalate their privileges to team or channel administrator status via crafted API requests.

The vulnerability exists because the application does not require proper role-management authorization when setting the scheme_admin flag. A user with group-link permissions can send a crafted API request to escalate their own account—or those of group members—to team or channel admin privileges.

With a CVSS score of 8.8, this privilege escalation vulnerability allows an attacker to gain elevated control over team and channel communications. This could lead to unauthorized access to private channels, information disclosure, and the potential to disrupt organizational communication channels.

Immediate Action: Update to the latest patched version of Mattermost provided by the vendor.

Proactive Monitoring: Audit user account roles and permissions for unexpected administrative assignments and monitor API logs for unusual requests to group syncable endpoints.

Compensating Controls: Temporarily restrict group-link permissions for non-administrative users until the patch can be applied.

Public Exploit Available: null

Privilege escalation in communication platforms can have severe consequences for organizational security. Administrators should prioritize updating their Mattermost instances and perform a comprehensive review of current administrative assignments to identify and revert any unauthorized escalations.