wid-sec-w-2026-0745 · Published 2026-03-16 · View on BSI CERT-Bund ↗

Mattermost: Multiple Vulnerabilities

CVSS 4.3 MEDIUM

Risk Summary

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553

CVEs (1)

CVE-2026-4265

Affected Vendors

Mattermost

Affected Products (18)

Mattermost · Mattermost Server <11.4.0

Mattermost · Mattermost Server 11.4.0

Mattermost · Mattermost Server <11.3.1

Mattermost · Mattermost Server 11.3.1

Mattermost · Mattermost Server <11.2.3

Mattermost · Mattermost Server 11.2.3

Mattermost · Mattermost Server <10.11.11

Mattermost · Mattermost Server 10.11.11

Mattermost · Mattermost Server <11.6.0

Mattermost · Mattermost Server 11.6.0

Mattermost · Mattermost Server <10.11.13

Mattermost · Mattermost Server 10.11.13

Mattermost · Mattermost Server <11.5.1

Mattermost · Mattermost Server 11.5.1

Mattermost · Mattermost Server <11.4.3

Mattermost · Mattermost Server 11.4.3

Mattermost · Mattermost Server <11.3.3

Mattermost · Mattermost Server 11.3.3

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more