CVE-2026-3473
Analyzed
Analyzed - Analysis Complete
BaseFortify
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: Mattermost, Inc.
Description
Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.15 (exc) |
| mattermost | mattermost_server | From 11.4.0 (inc) to 11.4.5 (exc) |
| mattermost | mattermost_server | From 11.5.0 (inc) to 11.5.4 (exc) |
| mattermost | mattermost_server | From 11.6.0 (inc) to 11.6.1 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70