CVE-2026-3637

MEDIUM4.3EPSS 0.03%

Mattermost doesn't check the create_post channel permission during post edit operations

發布日:2026/5/18修改日:2026/6/1

描述

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627

受影響套件(2)

Go/github.com/mattermost/mattermost-serverfrom 0, < 5.3.2-0.20260316171743-090408f09f53
Go/github.com/mattermost/mattermost/server/v8>= 10.11.0, < 10.11.14

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-3637
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://github.com/mattermost/mattermost/commit/090408f09f53ffc9afc6c65c7c7c1fd3a8cd22f3
WEBhttps://mattermost.com/security-updates