CVE-2024-4195

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

Published: Apr 26, 2024
Updated: May 4, 2025
CVE: CVE-2024-4195
GHSA: GHSA-5fh7-7mw7-mmx5
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost-server	9.5.0	9.5.3
github.com/mattermost/mattermost-server	8.1.0	8.1.12
mattermost / mattermost_server	8.1.0	8.1.12
mattermost / mattermost_server	9.5.0	9.5.3

https://github.com/mattermost/mattermost/commit/1e3497e0595bb4f9908c94dd9d4685d48556b7e8
https://github.com/mattermost/mattermost/commit/f0872dd4e4ba34f061aa6982a71c7c29532aac2e
https://mattermost.com/security-updates

Vulnerability Database

CVE-2024-4195

Deep Security Visibility Without the Complexity