Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-3473

Summary
Assigner-Mattermost
Assigner Org ID-9302f53e-dde5-4bf3-b2f2-a83f91ac0eee
Published At-22 May, 2026 | 10:27
Updated At-22 May, 2026 | 12:12
Rejected At-
Credits

Improper file ownership validation in the Boards API allows unauthorised file access

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Mattermost
Assigner Org ID:9302f53e-dde5-4bf3-b2f2-a83f91ac0eee
Published At:22 May, 2026 | 10:27
Updated At:22 May, 2026 | 12:12
Rejected At:
▼CVE Numbering Authority (CNA)
Improper file ownership validation in the Boards API allows unauthorised file access

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620

Affected Products
Vendor
Mattermost, Inc.Mattermost
Product
Mattermost
Default Status
unaffected
Versions
Affected
  • From 11.6.0 through 11.6.0 (semver)
  • From 11.5.0 through 11.5.3 (semver)
  • From 11.4.0 through 11.4.4 (semver)
  • From 10.11.0 through 10.11.14 (semver)
Unaffected
  • 11.7.0
  • 11.6.1
  • 11.5.4
  • 11.4.5
  • 10.11.15
Problem Types
TypeCWE IDDescription
CWECWE-639CWE-639: Authorization Bypass Through User-Controlled Key
Type: CWE
CWE ID: CWE-639
Description: CWE-639: Authorization Bypass Through User-Controlled Key
Metrics
VersionBase scoreBase severityVector
3.15.9MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update Mattermost to versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or higher.

Configurations
Workarounds
Exploits
Credits
finder
eahmed
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://mattermost.com/security-updates
vendor-advisory
Hyperlink: https://mattermost.com/security-updates
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet

Similar CVEs

5Records found
CVE-2024-32045
Matching Score-10
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-10
Assigner-Mattermost, Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.27% / 50.01%
||
7 Day CHG~0.00%
Published-26 May, 2024 | 13:29
Updated-30 Sep, 2025 | 15:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Playbook run link to private channel grants channel access

Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-28736
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.39%
||
7 Day CHG~0.00%
Published-03 Apr, 2026 | 13:25
Updated-28 Apr, 2026 | 00:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)

** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.

Action-Not Available
Vendor-Mattermost, Inc.
Product-focalboardFocalboard
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-2461
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-16 Mar, 2026 | 11:16
Updated-20 Mar, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing authorization check allows unauthorized modification of other users' comments on a board

Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-9081
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.01% / 1.52%
||
7 Day CHG~0.00%
Published-19 Sep, 2025 | 19:36
Updated-25 Sep, 2025 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IDOR in board file download allows any user to download any file by UUID

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2023-46701
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.88%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 08:19
Updated-02 Aug, 2024 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inaccessible Post Information Leak via Run Timeline IDOR

Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
Details not found