CVE-2026-24692Incorrect Authorization in Mattermost Mattermost-server

CWE-863Incorrect Authorization6 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 93.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedMar 16
Latest updateMar 23

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server10.11.010.11.11+2
Gogithub.com/mattermost_mattermost-server10.11.0-rc110.11.11+6
Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20260107142155-0481bd1fb045
CVEListV5mattermost/mattermost11.3.011.3.0+2

🔴Vulnerability Details

4
OSV
Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server2026-03-23
CVEList
Guest users can bypass read permissions via search API2026-03-16
GHSA
Mattermost fails to properly enforce read permissions in search API endpoints2026-03-16
OSV
Mattermost fails to properly enforce read permissions in search API endpoints2026-03-16

🕵️Threat Intelligence

1
Wiz
CVE-2026-24692 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-24692 — Incorrect Authorization | cvebase