CVE-2016-11077: Mattermost Server allows System Admin to modify LDAP account names and email addresses

May 24, 2022 (updated October 22, 2025)

An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.

References

github.com/advisories/GHSA-mj8v-773w-5qhj
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/5d7e34c94b56c4b0abb0c3d1702f2b5feb8d2904
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2016-11077

Code Behaviors & Features

Detect and mitigate CVE-2016-11077 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →