cbcvebase.
CVE-2026-3473
published 2026-05-22

CVE-2026-3473: Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows…

PriorityP344high7.1CVSS 3.1
AVNACLPRLUINSUCHILAN
EPSS
0.15%
4.5th percentile
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620

Affected

12 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 10.11.0 < 10.11.1510.11.15
github.commattermost_mattermost-server>= 11.4.0 < 11.4.511.4.5
github.commattermost_mattermost-server>= 11.5.0 < 11.5.411.5.4
github.commattermost_mattermost-server>= 11.6.0 < 11.6.111.6.1
mattermostmattermost10.11.0 – 10.11.14
mattermostmattermost11.4.0 – 11.4.4
mattermostmattermost11.5.0 – 11.5.3
mattermostmattermost11.6.0 – 11.6.0
mattermostmattermost_server>= 10.11.0 < 10.11.1510.11.15
mattermostmattermost_server>= 11.4.0 < 11.4.511.4.5
mattermostmattermost_server>= 11.5.0 < 11.5.411.5.4
mattermostmattermost_server>= 11.6.0 < 11.6.111.6.1

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
cvelistv5v3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.