Skip to main content
CVE-2026-4265 MEDIUM PATCH This Month

This vulnerability in Mattermost allows guest users to bypass team-specific file upload permissions through a cross-team file metadata reuse attack. Affected versions include Mattermost 11.3.0, 11.2.x up to 11.2.2, and 10.11.x up to 10.11.10. An authenticated guest user can upload a file in a team where they have upload_file permission, then reuse that file's metadata in POST requests to channels in different teams where they lack upload permission, resulting in unauthorized file posting with potential integrity impact.

Authentication Bypass Mattermost Suse
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24692 MEDIUM PATCH This Month

A remote code execution vulnerability (CVSS 4.3) that allows guest users without read permissions. Remediation should follow standard vulnerability management procedures.

Authentication Bypass Mattermost Server Suse
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2463 MEDIUM PATCH This Month

Mattermost fails to properly validate user permissions when filtering invite IDs during team creation, allowing authenticated users to bypass access controls and register unauthorized accounts using leaked or discovered invite tokens. Affected versions include Mattermost 11.3.0 and earlier in the 11.3.x branch, 11.2.2 and earlier in the 11.2.x branch, and 10.11.10 and earlier in the 10.11.x branch. An authenticated attacker with knowledge of valid invite IDs can circumvent intended access restrictions to create accounts that should be restricted, resulting in unauthorized account registration and potential lateral movement within the Mattermost instance.

Authentication Bypass Mattermost Suse
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2457 MEDIUM PATCH This Month

Mattermost fails to properly sanitize client-supplied post metadata in its post update API endpoint, allowing authenticated attackers to spoof permalink embeds and impersonate other users through crafted PUT requests. The vulnerability affects Mattermost versions 11.3.0 and earlier, 11.2.2 and earlier, and 10.11.10 and earlier. While the CVSS score of 4.3 is moderate and requires authentication, the integrity impact allows attackers to deceive users by falsely attributing messages to legitimate users, potentially facilitating social engineering or misinformation campaigns within Mattermost instances.

Information Disclosure Mattermost Suse
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32723 MEDIUM PATCH This Month

SandboxJS 0.8.34 contains a race condition where a shared global tick state allows concurrent sandboxes to interfere with each other's execution quotas during timer callback compilation. An attacker in a multi-tenant environment can exploit this to bypass resource limits and exhaust CPU/memory on the host system. A patch is available.

Race Condition Denial Of Service Node.js
NVD GitHub VulDB
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy