CVE-2026-3637

MEDIUM4.3EPSS 0.03%

Mattermost doesn't check the create_post channel permission during post edit operations

Published: 5/18/2026Modified: 6/1/2026

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627

Affected packages (2)

Go/github.com/mattermost/mattermost-serverfrom 0, < 5.3.2-0.20260316171743-090408f09f53
Go/github.com/mattermost/mattermost/server/v8>= 10.11.0, < 10.11.14

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-3637
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://github.com/mattermost/mattermost/commit/090408f09f53ffc9afc6c65c7c7c1fd3a8cd22f3
WEBhttps://mattermost.com/security-updates