CVE-2026-10103

Summary

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.7.0 <= 11.7.2affected
MattermostMattermost11.6.0 <= 11.6.4affected
MattermostMattermost10.11.0 <= 10.11.19affected
MattermostMattermost11.8.0unaffected
MattermostMattermost11.7.3unaffected
MattermostMattermost11.6.5unaffected
MattermostMattermost10.11.20unaffected

Weaknesses

  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key

References