Home

Description

Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559

PUBLISHED Reserved 2026-02-13 | Published 2026-03-16 | Updated 2026-03-16 | Assigner Mattermost




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

Any version
affected

Any version
affected

Any version
affected

11.4.0
unaffected

11.3.1
unaffected

11.2.3
unaffected

10.11.11
unaffected

Credits

daynight finder

References

mattermost.com/security-updates (MMSA-2025-00559) vendor-advisory

cve.org (CVE-2026-2461)

nvd.nist.gov (CVE-2026-2461)

Download JSON