CVE-2026-24692
MEDIUM4.3EPSS 0.03%Mattermost fails to properly enforce read permissions in search API endpoints
發布日:2026/3/16修改日:2026/3/23
描述
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554
受影響套件(6)
- Go/github.com/mattermost/mattermost-serverfrom 0, < 5.3.2-0.20260107142155-0481bd1fb045
- Go/github.com/mattermost/mattermost-server>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
- Go/github.com/mattermost/mattermost-server/v5from 0
- Go/github.com/mattermost/mattermost-server/v6from 0
- Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20260107142155-0481bd1fb045
- Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20260107142155-0481bd1fb045
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |