CVE-2026-3473 MEDIUM

CVE-2026-3473: Improper file ownership validation in the Boards API allows unauthorised file access

Vendor Mattermost
Product Mattermost
Weakness CWE-639 · IDOR
Published May 22, 2026
Last update May 22, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620

Key dates

02Disclosure timeline

May 22, 2026 CVE published
May 22, 2026 Record updated