CVE 5.4 MEDIUM

Authentication bypass via userID login when email and username login are disabled_CVE-2026-0999

February 16, 2026 invoker category_cve
5.4 / 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548

Basic Information

ID CVE-2026-0999
Source Mattermost
Published Feb 16, 2026 at 09:47

Affected Product

Vendor Mattermost
Product Mattermost
Version 11.1.0
Affected Versions Mattermost Mattermost 11.1.0
Mattermost Mattermost 10.11.0
Mattermost Mattermost 11.2.0

CWE Classification

CWE-303

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.