CVE-2026-4265
Improper Permission Validation in Mattermost Enables Unauthorized File Uploads
Publication date: 2026-03-16
Last updated on: 2026-03-18
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.11 (exc) |
| mattermost | mattermost_server | From 11.2.0 (inc) to 11.2.3 (exc) |
| mattermost | mattermost_server | From 11.3.0 (inc) to 11.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, and 10.11.x <= 10.11.10. It occurs because the software fails to properly validate team-specific upload_file permissions. As a result, a guest user who has upload_file permission in one team can upload files there and then reuse the file metadata in a POST request to post files in channels of a different team where they do not have upload_file permission.
How can this vulnerability impact me? :
The impact of this vulnerability is that guest users can bypass intended permission restrictions and post files in channels where they should not have upload rights. This could lead to unauthorized file sharing or posting in restricted channels, potentially exposing sensitive information or disrupting communication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know