Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints.. Mattermost Advisory ID: MMSA-2026-00631
Published: 2026-05-15
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions 11.5.x up to 11.5.1 and 10.11.x up to 10.11.13 have a flaw where the enforced PostEditTimeLimit does not apply to certain non-message post fields such as file attachments, props, and pin status. This allows an authenticated user to modify these fields after the edit window has expired, effectively tampering with post data. The weakness reflects a failure to enforce established data restrictions (CWE‑672).

Affected Systems

The vulnerability affects Mattermost deployments running the affected releases of the Mattermost product. Specifically, users of Mattermost 11.5.x and 10.11.x versions cannot rely on the edit time limit for the mentioned post fields until they update to a patched release.

Risk and Exploitability

The published CVSS score of 3.1 indicates low overall severity. No EPSS score is publicly available, and the issue is not listed in CISA’s KEV catalog, suggesting limited known exploitation. Nonetheless, exploitation requires a valid authenticated session and the use of the post patch or update API endpoints, which are network-accessible. An attacker who has legitimate credentials can repeatedly alter post attachments, properties, and pin status after the configured edit period, impacting data integrity in collaborative environments.

Generated by OpenCVE AI on May 15, 2026 at 20:20 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to a version that includes the fix, such as 11.6.0, 11.5.2, or 10.11.14 or higher.
  • Restrict write access to the post API endpoints by enforcing role‑based permissions so only trusted users can perform post updates.
  • Enable detailed audit logging for post modifications and review logs for modifications occurring outside the permissible edit window to detect potential policy violations.

Generated by OpenCVE AI on May 15, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints.. Mattermost Advisory ID: MMSA-2026-00631
Title post edit time limit is not enforced on some post update operations
Weaknesses CWE-672
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-15T20:01:17.492Z

Reserved: 2026-03-12T16:07:22.695Z

Link: CVE-2026-4053

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:04.670

Modified: 2026-05-15T19:17:04.670

Link: CVE-2026-4053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:00:08Z

Weaknesses