Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisory ID: MMSA-2025-00569
Published: 2026-03-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User impersonation
Action: Patch
AI Analysis

Impact

Mattermost versions 11.3.x through 10.11.x fail to sanitize client-supplied post metadata. An authenticated attacker can send crafted PUT requests to the post update API endpoint to insert or alter permalink embeds, causing messages to appear as if sent by other users. This allows user impersonation and can undermine trust in the collaboration platform. The vulnerability is classified as CWE-346 (Broken Access Control).

Affected Systems

Vendors: Mattermost. Product: Mattermost. Affected versions include all releases 11.3.0 and older, 11.2.2 and older, and 10.11.10 and older. An attacker must be authenticated to exploit the vulnerability.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate severity. The EPSS score is less than 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access and a crafted HTTP PUT request to the post update API, making it an authenticated remote misuse of the API, rather than a public unauthenticated attack.

Generated by OpenCVE AI on March 18, 2026 at 19:39 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to version 11.4.0, 11.3.1, 11.2.3, 10.11.11 or later.
  • Confirm that the updated version is running by verifying the server version.

Generated by OpenCVE AI on March 18, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ph22-fw5m-w2q9 Mattermost allows attackers to spoof permalink embeds
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost
Vendors & Products Mattermost mattermost

Wed, 18 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost
Mattermost mattermost Server

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisory ID: MMSA-2025-00569
Title WebSocket Message Spoofing via Permalink Embed Manipulation
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-16T13:49:57.761Z

Reserved: 2026-02-13T11:06:55.712Z

Link: CVE-2026-2457

cve-icon Vulnrichment

Updated: 2026-03-16T13:44:16.018Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:29.367

Modified: 2026-03-18T17:49:10.550

Link: CVE-2026-2457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:45Z

Weaknesses