CVE-2026-3473
published 2026-05-22CVE-2026-3473: Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows…
PriorityP344high7.1CVSS 3.1
AVNACLPRLUINSUCHILAN
EPSS
0.15%
4.5th percentile
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 10.11.0 < 10.11.15 | 10.11.15 |
| github.com | mattermost_mattermost-server | >= 11.4.0 < 11.4.5 | 11.4.5 |
| github.com | mattermost_mattermost-server | >= 11.5.0 < 11.5.4 | 11.5.4 |
| github.com | mattermost_mattermost-server | >= 11.6.0 < 11.6.1 | 11.6.1 |
| mattermost | mattermost | 10.11.0 – 10.11.14 | — |
| mattermost | mattermost | 11.4.0 – 11.4.4 | — |
| mattermost | mattermost | 11.5.0 – 11.5.3 | — |
| mattermost | mattermost | 11.6.0 – 11.6.0 | — |
| mattermost | mattermost_server | >= 10.11.0 < 10.11.15 | 10.11.15 |
| mattermost | mattermost_server | >= 11.4.0 < 11.4.5 | 11.4.5 |
| mattermost | mattermost_server | >= 11.5.0 < 11.5.4 | 11.5.4 |
| mattermost | mattermost_server | >= 11.6.0 < 11.6.1 | 11.6.1 |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
cvelistv5v3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mattermost doesn't validate file ownership and access control
ghsa·2026-05-26
CVE-2026-3473 [HIGH] CWE-639 Mattermost doesn't validate file ownership and access control
Mattermost doesn't validate file ownership and access control
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs. Mattermost Advisory ID: MMSA-2026-00620.
GHSA
GHSA-7pf2-9c95-w332: Mattermost versions 11
ghsa_unreviewed·2026-05-26
CVE-2026-3473 [HIGH] CWE-639 GHSA-7pf2-9c95-w332: Mattermost versions 11
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620
CVEList
Improper file ownership validation in the Boards API allows unauthorised file access
cvelistv5·2026-05-22·CVSS 5.9
CVE-2026-3473 [MEDIUM] CWE-639 Improper file ownership validation in the Boards API allows unauthorised file access
Improper file ownership validation in the Boards API allows unauthorised file access
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620
VulDB
Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0 Boards API authorization
vuldb·2026-05-22
CVE-2026-3473 [LOW] Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0 Boards API authorization
A vulnerability has been found in Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Boards API. This manipulation causes authorization bypass.
The identification of this vulnerability is CVE-2026-3473. It is possible to initiate the attack remotely. There is no exploit available.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published