PatchSiren cyber security CVE debrief
CVE-2026-3637 Mattermost CVE debrief
Mattermost Server versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 contain an authorization bypass vulnerability. The application fails to validate the `create_post` channel permission when processing post edit operations. An authenticated attacker whose posting privileges have been revoked can continue to modify their existing posts by sending direct API requests to the post update and patch endpoints. This represents a broken access control issue (CWE-862) where permission checks are inconsistently applied between post creation and post modification workflows. The vulnerability requires network access and valid authentication credentials, but no user interaction. The CVSS 3.1 vector indicates low attack complexity with low integrity impact and no confidentiality or availability impact.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-19
Who should care
Mattermost administrators managing multi-user collaboration environments with dynamic permission structures, security teams responsible for access control validation in self-hosted messaging platforms, and compliance officers tracking data integrity in regulated communication channels
Technical summary
The vulnerability exists in the post update and patch API endpoints where the `create_post` channel permission check is omitted during edit operations. While the application correctly enforces this permission for new post creation, the same validation is not applied when modifying existing posts. This architectural inconsistency allows users who have had their posting privileges revoked to retain the ability to edit their historical posts. The issue affects three maintained release branches and was addressed with point releases that restore proper permission validation across all post modification workflows.
Defensive priority
medium
Recommended defensive actions
- Review and upgrade Mattermost Server installations to patched versions: 10.11.14 or later for 10.11.x branch, 11.4.4 or later for 11.4.x branch, or 11.5.2 or later for 11.5.x branch
- Audit channel member permissions to identify users with revoked posting privileges who may have exploited this vulnerability
- Review post edit logs for unauthorized modifications by users who should not have had active posting permissions
- Implement API request monitoring for post update and patch endpoints to detect anomalous editing activity
- Verify that permission enforcement is consistent across all post-related API endpoints after patching
Evidence notes
The vulnerability was disclosed by Mattermost through their security advisory channel and subsequently published in the NVD. The CPE configurations confirm affected version ranges across three major release branches. The CVSS score of 4.3 reflects the limited scope—posting privileges can be bypassed only for existing posts, not for creating new content. The vendor advisory provides the authoritative source for remediation guidance.
Official resources
-
CVE-2026-3637 CVE record
CVE.org
-
CVE-2026-3637 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
2026-05-18