CVE-2026-4053

LOW

post edit time limit is not enforced on some post update operations

Title source: cna
STIX 2.1

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints.. Mattermost Advisory ID: MMSA-2026-00631

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2026-00631
https://mattermost.com/security-updates

Scores

CVSS v3 3.1
EPSS 0.0007
EPSS Percentile 21.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-672
Status published
Products (6)
Mattermost/Mattermost 10.11.0 - 10.11.13
Mattermost/Mattermost 10.11.14
Mattermost/Mattermost 11.5.0 - 11.5.1
Mattermost/Mattermost 11.5.2
Mattermost/Mattermost 11.6.0
mattermost/mattermost_server 10.11.0 - 10.11.14
Published May 15, 2026
Tracked Since May 16, 2026