CVE-2026-10103
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mattermost | Mattermost | 11.7.0 <= 11.7.2 | affected |
| Mattermost | Mattermost | 11.6.0 <= 11.6.4 | affected |
| Mattermost | Mattermost | 10.11.0 <= 10.11.19 | affected |
| Mattermost | Mattermost | 11.8.0 | unaffected |
| Mattermost | Mattermost | 11.7.3 | unaffected |
| Mattermost | Mattermost | 11.6.5 | unaffected |
| Mattermost | Mattermost | 10.11.20 | unaffected |
Weaknesses
- CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.