Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620
Published: 2026-05-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions 11.6.0 and earlier, 11.5.3 and earlier, 11.4.4 and earlier, and 10.11.14 and earlier fail to enforce file ownership checks when processing Boards API requests. An authenticated user who supplies a valid file identifier can download files that belong to other users or teams, exposing confidential data beyond the intended scope of that user. The weakness is a lack of proper access control and is cataloged as CWE‑639.

Affected Systems

The vulnerability affects Mattermost Mattermost deployments running any of the following versions: 10.11.x up to 10.11.14, 11.4.x up to 11.4.4, 11.5.x up to 11.5.3, and 11.6.x up to 11.6.0.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity. No EPSS data is available, so the real-world likelihood of exploitation is uncertain, and the vulnerability is not listed in the CISA KEV catalog. An attacker must first authenticate to the system and then craft a Boards API request using a valid file ID to access the victim’s files. The attack surface is limited to users that have legitimate API access, but once authenticated, there is a risk of cross-user file exposure.

Generated by OpenCVE AI on May 22, 2026 at 12:20 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to any of the following patched versions: 11.7.0, 11.6.1, 11.5.4, 11.4.5, or 10.11.15 or later
  • If an upgrade is not immediately possible, restrict the use of the Boards API to trusted administrators or team leaders, and monitor API activity for anomalous file fetch patterns
  • Review and tighten file ownership and access controls in the Boards API if custom modifications exist, ensuring that each file request checks that the requester owns or is authorized for the file

Generated by OpenCVE AI on May 22, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon
History

Fri, 22 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 11:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620
Title Improper file ownership validation in the Boards API allows unauthorised file access
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-22T12:12:49.437Z

Reserved: 2026-03-03T12:57:13.379Z

Link: CVE-2026-3473

cve-icon Vulnrichment

Updated: 2026-05-22T12:12:45.995Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T13:30:35Z

Weaknesses