CVE-2026-4053 LOW

CVE-2026-4053: post edit time limit is not enforced on some post update operations

Vendor Mattermost
Product Mattermost
Weakness CWE-672
Published May 15, 2026
Last update May 15, 2026

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints.. Mattermost Advisory ID: MMSA-2026-00631

Key dates

02Disclosure timeline

May 15, 2026 CVE published
May 15, 2026 Record updated