Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.
Fixes

Solution

Update Mattermost to versions 10.0.0, 9.10.3, 9.11.2, 9.5.10 or higher.


Workaround

No workaround given by the vendor.

References
History

Mon, 29 Sep 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00067}

epss

{'score': 0.00078}


Tue, 29 Oct 2024 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 29 Oct 2024 08:15:00 +0000

Type Values Removed Values Added
Description Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.
Title Arbitrary post deletion via Playbooks /ignore-thread endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2024-10-29T12:52:31.657Z

Reserved: 2024-10-21T16:12:47.116Z

Link: CVE-2024-50052

cve-icon Vulnrichment

Updated: 2024-10-29T12:52:27.926Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-29T08:15:12.553

Modified: 2025-09-29T14:47:32.853

Link: CVE-2024-50052

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T22:01:26Z