CVE-2026-2461 MEDIUM

CVE-2026-2461: Missing authorization check allows unauthorized modification of other users' comments on a board

Vendor Mattermost
Product Mattermost
Weakness CWE-639 · IDOR
Published March 16, 2026
Last update March 16, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559

Key dates

02Disclosure timeline

March 16, 2026 CVE published
March 16, 2026 Record updated