Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554
Published: 2026-03-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to posts and files
Action: Patch
AI Analysis

Impact

Mattermost server versions 11.3.x (up to 11.3.0), 11.2.x (up to 11.2.2), and 10.11.x (up to 10.11.10) contain a flaw in the search API that bypasses read‑permission checks. This access‑control vulnerability allows guest users who normally lack read rights to retrieve posts and files from any channel via search requests. The flaw is classified as CWE‑863 (Missing Authorization).

Affected Systems

The affected systems are installations of the Mattermost server product. Users running any of the listed vulnerable versions—eleven point three or earlier in the 11.3.x branch, eleven point two two or earlier in the 11.2.x branch, or ten point eleven ten or earlier in the 10.11.x branch—are susceptible. No later releases on the same major branches that have not yet been patched are included.

Risk and Exploitability

The CVSS score of 4.3 denotes medium severity, and the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network‑accessible API call to the search endpoint, requiring only that the attacker possess a guest account with a valid session. No additional attacker privileges or conditions are described.

Generated by OpenCVE AI on March 18, 2026 at 15:38 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to version 11.4.0, 11.3.1, 11.2.3, 10.11.11, or any newer release that includes the fix.

Generated by OpenCVE AI on March 18, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cwfj-642j-gfh4 Mattermost fails to properly enforce read permissions in search API endpoints
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Wed, 18 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554
Title Guest users can bypass read permissions via search API
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-16T18:19:26.675Z

Reserved: 2026-02-13T10:01:31.964Z

Link: CVE-2026-24692

cve-icon Vulnrichment

Updated: 2026-03-16T18:19:23.139Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T15:16:21.290

Modified: 2026-03-18T13:54:50.950

Link: CVE-2026-24692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:50:24Z

Weaknesses