CVE-2026-2461

Summary

Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 11.0.3affected
MattermostMattermost0 <= 11.2.2affected
MattermostMattermost0 <= 10.10.11affected
MattermostMattermost11.4.0unaffected
MattermostMattermost11.3.1unaffected
MattermostMattermost11.2.3unaffected
MattermostMattermost10.11.11unaffected

Weaknesses

  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References