CVE-2026-2461

MEDIUM

Missing authorization check allows unauthorized modification of other users' comments on a board

Title source: cna

Description

Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559

Exploits (1)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-2461

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 4.3

EPSS 0.0004

EPSS Percentile 10.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-639

Status published

Products (9)

Mattermost/Mattermost < 10.10.11

Mattermost/Mattermost < 11.0.3

Mattermost/Mattermost < 11.2.2

Mattermost/Mattermost 10.11.11

Mattermost/Mattermost 11.2.3

Mattermost/Mattermost 11.3.1

Mattermost/Mattermost 11.4.0

mattermost/mattermost-plugin-boards 0 - 0.0.0-20260108044135-57c5be5b6ef5Go

mattermost/mattermost_server < 10.11.11

Published Mar 16, 2026

Tracked Since Mar 16, 2026