CVE-2026-2461

CWE-639 — Insecure Direct Object Reference6 documents5 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 91.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost/mattermost-plugin-boards Mattermost Mattermost Server Mattermost Mattermost

Timeline

PublishedMar 16

Latest updateMar 23

Description

Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Gogithub.com/mattermost/mattermost-plugin-boards< 0.0.0-20260108044135-57c5be5b6ef5

▶NVDmattermost/mattermost_server11.1.0 — 11.2.3+3

▶CVEListV5mattermost/mattermost11.0.3+2

🔴Vulnerability Details

OSV

Mattermost Boards Plugin fails to implement authorisation checks on comment block modifications in github.com/mattermost/mattermost-plugin-boards↗2026-03-23

▶

CVEList

Missing authorization check allows unauthorized modification of other users' comments on a board↗2026-03-16

▶

GHSA

Mattermost Boards Plugin fails to implement authorisation checks on comment block modifications↗2026-03-16

▶

OSV

Mattermost Boards Plugin fails to implement authorisation checks on comment block modifications↗2026-03-16

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2461 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶