GHSA-3c9r-7f29-qp32

Source

https://github.com/advisories/GHSA-3c9r-7f29-qp32

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-3c9r-7f29-qp32/GHSA-3c9r-7f29-qp32.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-3c9r-7f29-qp32

Aliases

Published

2026-02-16T12:30:24Z

Modified

2026-03-27T17:33:36.248964Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Mattermost fails to properly validate login method restrictions

Details

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548

Database specific

{
    "github_reviewed_at": "2026-02-19T19:34:56Z",
    "nvd_published_at": "2026-02-16T10:16:08Z",
    "cwe_ids": [
        "CWE-303"
    ],
    "github_reviewed": true,
    "severity": "MODERATE"
}

References

Affected packages

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20251212052346-61651b0df7ea

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-3c9r-7f29-qp32/GHSA-3c9r-7f29-qp32.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

11.1.0

Database specific

last_known_affected_version_range

"< 11.1.3"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-3c9r-7f29-qp32/GHSA-3c9r-7f29-qp32.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

10.11.0

Database specific

last_known_affected_version_range

"< 10.11.10"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-3c9r-7f29-qp32/GHSA-3c9r-7f29-qp32.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

11.2.0

Database specific

last_known_affected_version_range

"< 11.2.2"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-3c9r-7f29-qp32/GHSA-3c9r-7f29-qp32.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.3.2-0.20251212052346-61651b0df7ea

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-3c9r-7f29-qp32/GHSA-3c9r-7f29-qp32.json"