CVE-2026-3473

Summary

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.6.0 <= 11.6.0affected
MattermostMattermost11.5.0 <= 11.5.3affected
MattermostMattermost11.4.0 <= 11.4.4affected
MattermostMattermost10.11.0 <= 10.11.14affected
MattermostMattermost11.7.0unaffected
MattermostMattermost11.6.1unaffected
MattermostMattermost11.5.4unaffected
MattermostMattermost11.4.5unaffected
MattermostMattermost10.11.15unaffected

Weaknesses

  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References