{"cve_id":"CVE-2026-4274","summary":"Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"epss":0.0003,"ranking_epss":0.08505,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://mattermost.com/security-updates"],"published_time":"2026-03-26T11:16:21","cpes":["cpe:2.3:a:mattermost:mattermost_server:10.11.0","cpe:2.3:a:mattermost:mattermost_server:10.11.1","cpe:2.3:a:mattermost:mattermost_server:10.11.10","cpe:2.3:a:mattermost:mattermost_server:10.11.2","cpe:2.3:a:mattermost:mattermost_server:10.11.3","cpe:2.3:a:mattermost:mattermost_server:10.11.4","cpe:2.3:a:mattermost:mattermost_server:10.11.5","cpe:2.3:a:mattermost:mattermost_server:10.11.6","cpe:2.3:a:mattermost:mattermost_server:10.11.7","cpe:2.3:a:mattermost:mattermost_server:10.11.8","cpe:2.3:a:mattermost:mattermost_server:10.11.9","cpe:2.3:a:mattermost:mattermost_server:11.2.0","cpe:2.3:a:mattermost:mattermost_server:11.2.1","cpe:2.3:a:mattermost:mattermost_server:11.2.2","cpe:2.3:a:mattermost:mattermost_server:11.3.0","cpe:2.3:a:mattermost:mattermost_server:11.3.1","cpe:2.3:a:mattermost:mattermost_server:11.4.0"]}