Mattermost servers version 11.3.x (up to 11.3.0), 11.2.x (up to 11.2.2) and 10.11.x (up to 10.11.10) fail to validate team‑specific upload_file permissions. This flaw allows a guest user who has upload_file permission in one team to post a file into a channel of a different team where the user has no such permission. The vulnerability is a classic Authorization bypass (CWE-863) that can enable the strategic delivery of files to restricted channels, potentially containing malicious content or sensitive data. The impact is the ability to extend a guest’s reach beyond intended boundaries, compromising confidentiality or integrity of channel data.

Affected products: Mattermost Mattermost Server. Vulnerable versions are 11.3.x up to and including 11.3.0, 11.2.x up to and including 11.2.2, and 10.11.x up to and including 10.11.10.

The CVSS base score is 4.3, indicating moderate severity. The EPSS score is below 1%, suggesting low exploitation likelihood in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack requires a guest user that already has upload_file permission in at least one team; the user then uploads a file and reuses the metadata in a subsequent POST request targeting a different team, bypassing the permission check. The exploit does not require elevated privileges or network-level access and can be performed via the standard file‑upload API endpoints exposed by Mattermost.