CVE-2026-4265
Awaiting Analysis Awaiting Analysis - Queue

Improper Permission Validation in Mattermost Enables Unauthorized File Uploads

Vulnerability report for CVE-2026-4265, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-16

Last updated on: 2026-03-18

Assigner: Mattermost, Inc.

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-16
Last Modified
2026-03-18
Generated
2026-07-06
AI Q&A
2026-03-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.11.0 (inc) to 10.11.11 (exc)
mattermost mattermost_server From 11.2.0 (inc) to 11.2.3 (exc)
mattermost mattermost_server From 11.3.0 (inc) to 11.3.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, and 10.11.x <= 10.11.10. It occurs because the software fails to properly validate team-specific upload_file permissions. As a result, a guest user who has upload_file permission in one team can upload files there and then reuse the file metadata in a POST request to post files in channels of a different team where they do not have upload_file permission.

Impact Analysis

The impact of this vulnerability is that guest users can bypass intended permission restrictions and post files in channels where they should not have upload rights. This could lead to unauthorized file sharing or posting in restricted channels, potentially exposing sensitive information or disrupting communication.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4265. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart