Mattermost fails to enforce create_post permission when editing posts

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627

Basic Information

ID CVE-2026-3637

Source Mattermost

Published May 18, 2026 at 06:53

Affected Product

Vendor Mattermost

Product Mattermost

Version 11.5.0

Affected Versions Mattermost Mattermost 11.5.0
Mattermost Mattermost 10.11.0
Mattermost Mattermost 11.4.0

CWE Classification

CWE-862

References

mattermost.com /security-updates

{
    "lastseen": "",
    "description": "Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627",
    "published": "2026-05-18T06:53:29.311Z",
    "modified": "2026-05-18T06:53:29.311Z",
    "type": "cve",
    "title": "Mattermost fails to enforce create_post permission when editing posts",
    "source": "Mattermost",
    "references": "https://mattermost.com/security-updates",
    "id": "CVE-2026-3637",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "Mattermost Mattermost 11.5.0\nMattermost Mattermost 10.11.0\nMattermost Mattermost 11.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Mattermost",
    "version": "11.5.0",
    "vendor": "Mattermost",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Mattermost fails to enforce create_post permission when editing posts_CVE-2026-3637