Description
Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559
Published: 2026-03-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized comment modification
Action: Apply Patch
AI Analysis

Impact

A missing authorization check in Mattermost Plugins allows an account with editor permission to alter comments created by other board members. The flaw permits the modification of comment content, resulting in a breach of data integrity for all users who view those comments.

Affected Systems

Mattermost Plugins up to and including versions 11.3, 11.0.3, 11.2.2 and 10.10.11.0 are affected. Any server that runs these plugin releases, or earlier unpatched builds, may be vulnerable. The issue resides solely in the Mattermost server plugin component.

Risk and Exploitability

The CVSS score of 4.3 indicates low‑to‑moderate severity, and the EPSS score below 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker already possesses editor privileges, after which they can modify others’ comments but gain no additional privileges or remote code execution. Therefore the risk to confidentiality and availability is negligible, with the primary concern being integrity of comment data.

Generated by OpenCVE AI on March 20, 2026 at 19:52 UTC.

Remediation

Vendor Solution

Update Mattermost Plugins to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost Plugins to version 11.4.0 or newer as specified in the advisory.
  • Verify the installed plugin version matches the patched release.

Generated by OpenCVE AI on March 20, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hf8w-x9h5-5gf9 Mattermost Boards Plugin fails to implement authorisation checks on comment block modifications
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Fri, 20 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost
Mattermost mattermost Server

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559
Title Missing authorization check allows unauthorized modification of other users' comments on a board
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-16T13:49:57.924Z

Reserved: 2026-02-13T11:09:37.505Z

Link: CVE-2026-2461

cve-icon Vulnrichment

Updated: 2026-03-16T13:44:17.926Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:29.753

Modified: 2026-03-20T18:30:35.217

Link: CVE-2026-2461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:46Z

Weaknesses