Moderate severityNVD Advisory· Published Feb 16, 2026· Updated Feb 17, 2026
Authentication bypass via userID login when email and username login are disabled
CVE-2026-0999
Description
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20251212052346-61651b0df7ea | 8.0.0-20251212052346-61651b0df7ea |
github.com/mattermost/mattermost-serverGo | >= 11.1.0 | — |
github.com/mattermost/mattermost-serverGo | >= 10.11.0 | — |
github.com/mattermost/mattermost-serverGo | >= 11.2.0 | — |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20251212052346-61651b0df7ea | 5.3.2-0.20251212052346-61651b0df7ea |
Affected products
1- Range: 11.1.0
Patches
161651b0df7eaUser id auth control (#34441)
2 files changed · +101 −13
server/channels/app/login.go+15 −13 modified@@ -95,23 +95,25 @@ func (a *App) GetUserForLogin(rctx request.CTX, id, loginId string) (*model.User enableUsername := *a.Config().EmailSettings.EnableSignInWithUsername enableEmail := *a.Config().EmailSettings.EnableSignInWithEmail - // If we are given a userID then fail if we can't find a user with that ID - if id != "" { - user, err := a.GetUser(id) - if err != nil { - if err.Id != MissingAccountError { - err.StatusCode = http.StatusInternalServerError + if enableEmail || enableUsername { + // If we are given a userID then fail if we can't find a user with that ID + if id != "" { + user, err := a.GetUser(id) + if err != nil { + if err.Id != MissingAccountError { + err.StatusCode = http.StatusInternalServerError + return nil, err + } + err.StatusCode = http.StatusBadRequest return nil, err } - err.StatusCode = http.StatusBadRequest - return nil, err + return user, nil } - return user, nil - } - // Try to get the user by username/email - if user, err := a.Srv().Store().User().GetForLogin(loginId, enableUsername, enableEmail); err == nil { - return user, nil + // Try to get the user by username/email + if user, err := a.Srv().Store().User().GetForLogin(loginId, enableUsername, enableEmail); err == nil { + return user, nil + } } // Try to get the user with LDAP if enabled
server/channels/app/login_test.go+86 −0 modified@@ -4,6 +4,7 @@ package app import ( + "net/http" "os" "testing" @@ -52,3 +53,88 @@ func TestCWSLogin(t *testing.T) { require.Nil(t, user) }) } + +func TestGetUserForLogin(t *testing.T) { + mainHelper.Parallel(t) + th := Setup(t).InitBasic(t) + + t.Run("Should get user with username when sign in with username is enabled", func(t *testing.T) { + th.UpdateConfig(t, func(config *model.Config) { + config.EmailSettings.EnableSignInWithUsername = model.NewPointer(true) + }) + + user, appErr := th.App.GetUserForLogin(th.Context, "", th.BasicUser.Username) + require.Nil(t, appErr) + require.NotNil(t, user) + require.Equal(t, th.BasicUser.Username, user.Username) + }) + + t.Run("Should not get user with username when sign in with username is disabled", func(t *testing.T) { + th.UpdateConfig(t, func(config *model.Config) { + config.EmailSettings.EnableSignInWithUsername = model.NewPointer(false) + }) + + user, appErr := th.App.GetUserForLogin(th.Context, "", th.BasicUser.Username) + require.NotNil(t, appErr) + require.Equal(t, http.StatusBadRequest, appErr.StatusCode) + require.Nil(t, user) + }) + + t.Run("Should get user with email when sign in with email is enabled", func(t *testing.T) { + th.UpdateConfig(t, func(config *model.Config) { + config.EmailSettings.EnableSignInWithEmail = model.NewPointer(true) + }) + + user, appErr := th.App.GetUserForLogin(th.Context, "", th.BasicUser.Email) + require.Nil(t, appErr) + require.NotNil(t, user) + require.Equal(t, th.BasicUser.Username, user.Username) + }) + + t.Run("Should not user with email when sign in with email is disabled", func(t *testing.T) { + th.UpdateConfig(t, func(config *model.Config) { + config.EmailSettings.EnableSignInWithEmail = model.NewPointer(false) + }) + + user, appErr := th.App.GetUserForLogin(th.Context, "", th.BasicUser.Email) + require.NotNil(t, appErr) + require.Equal(t, http.StatusBadRequest, appErr.StatusCode) + require.Nil(t, user) + }) + + t.Run("Should get user with user ID when sign in with email is enabled", func(t *testing.T) { + th.UpdateConfig(t, func(config *model.Config) { + config.EmailSettings.EnableSignInWithEmail = model.NewPointer(true) + config.EmailSettings.EnableSignInWithUsername = model.NewPointer(false) + }) + + user, appErr := th.App.GetUserForLogin(th.Context, th.BasicUser.Id, "") + require.Nil(t, appErr) + require.NotNil(t, user) + require.Equal(t, th.BasicUser.Username, user.Username) + }) + + t.Run("Should get user with user ID when sign in with username is enabled", func(t *testing.T) { + th.UpdateConfig(t, func(config *model.Config) { + config.EmailSettings.EnableSignInWithEmail = model.NewPointer(false) + config.EmailSettings.EnableSignInWithUsername = model.NewPointer(true) + }) + + user, appErr := th.App.GetUserForLogin(th.Context, th.BasicUser.Id, "") + require.Nil(t, appErr) + require.NotNil(t, user) + require.Equal(t, th.BasicUser.Username, user.Username) + }) + + t.Run("Should not get user with user ID when both sign in with email and username are disabled", func(t *testing.T) { + th.UpdateConfig(t, func(config *model.Config) { + config.EmailSettings.EnableSignInWithEmail = model.NewPointer(false) + config.EmailSettings.EnableSignInWithUsername = model.NewPointer(false) + }) + + user, appErr := th.App.GetUserForLogin(th.Context, th.BasicUser.Id, "") + require.NotNil(t, appErr) + require.Equal(t, http.StatusBadRequest, appErr.StatusCode) + require.Nil(t, user) + }) +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-3c9r-7f29-qp32ghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-0999ghsaADVISORY
- github.com/mattermost/mattermost/commit/61651b0df7ea5db55d1e54f8d6fb5fce4149309cghsaWEB
News mentions
0No linked articles in our index yet.