We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.
Reserved 2025-04-08 | Published 2025-04-16 | Updated 2025-04-16 | Assigner MattermostCWE-306: Missing Authentication for Critical Function
0x7oda7123
mattermost.com/security-updates
Support options