CVE-2026-0999
📋 TL;DR
This vulnerability allows authenticated users to bypass SSO-only login requirements in Mattermost by using userID-based authentication. It affects Mattermost instances configured to enforce SSO-only login. Attackers could gain unauthorized access to accounts that should only be accessible via SSO.
💻 Affected Systems
- Mattermost
📦 What is this software?
Mattermost Server by Mattermost
Mattermost Server by Mattermost
Mattermost Server by Mattermost
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could gain unauthorized access to user accounts that should be protected by SSO, potentially accessing sensitive communications, files, and administrative functions.
Likely Case
Internal users bypass SSO requirements to access accounts they shouldn't have access to, potentially violating access control policies and compliance requirements.
If Mitigated
With proper monitoring and access controls, unauthorized access attempts can be detected and blocked before significant damage occurs.
🎯 Exploit Status
Requires authenticated access but the bypass mechanism appears straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.1.3, 10.11.10, 11.2.2 or later
Vendor Advisory: https://mattermost.com/security-updates
Restart Required: Yes
Instructions:
1. Backup your Mattermost instance and database. 2. Download the patched version from Mattermost releases. 3. Stop the Mattermost service. 4. Install the patched version. 5. Restart the Mattermost service. 6. Verify the version is updated.
🔧 Temporary Workarounds
Disable SSO-only restrictions temporarily
allTemporarily allow non-SSO authentication methods until patching can be completed
Edit mattermost config.json: set 'EnableSignInWithUsername' and 'EnableSignInWithEmail' to true
🧯 If You Can't Patch
- Implement additional authentication monitoring and alerting for suspicious login patterns
- Enforce strict access controls and review user permissions regularly
🔍 How to Verify
Check if Vulnerable:
Check Mattermost version via System Console > About or run: mattermost versionCheck Version:
mattermost versionVerify Fix Applied:
Verify version is 11.1.3+, 10.11.10+, or 11.2.2+ and test SSO-only login enforcement📡 Detection & Monitoring
Log Indicators:
- Failed SSO authentication attempts followed by successful userID-based logins
- Multiple login attempts from same user via different authentication methods
Network Indicators:
- Unusual authentication traffic patterns
- Login requests bypassing SSO endpoints
SIEM Query:
source="mattermost" AND (event="login" OR event="authentication") AND method!="sso" AND result="success"