4.3
CVE-2026-3637
- EPSS 0.15%
- Veröffentlicht 18.05.2026 06:53:29
- Zuletzt bearbeitet 19.05.2026 17:34:01
- Quelle responsibledisclosure@mattermo
- CVE-Watchlists
- Unerledigt
Mattermost fails to enforce create_post permission when editing posts
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mattermost ≫ Mattermost Server Version >= 10.11.0 < 10.11.14
Mattermost ≫ Mattermost Server Version >= 11.4.0 < 11.4.4
Mattermost ≫ Mattermost Server Version >= 11.5.0 < 11.5.2
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.15% | 0.047 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| responsibledisclosure@mattermost.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://mattermost.com/security-updates