Skip to main content

Suse CVE-2026-2461

| EUVDEUVD-2026-12411 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-16 Mattermost GHSA-hf8w-x9h5-5gf9
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 12:00 euvd
EUVD-2026-12411
Analysis Generated
Mar 16, 2026 - 12:00 vuln.today
CVE Published
Mar 16, 2026 - 11:16 nvd
MEDIUM 4.3

DescriptionCVE.org

Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559

AnalysisAI

Mattermost Plugins versions 11.3 and earlier fail to implement proper authorization checks on comment block modifications, allowing authenticated users with editor permissions to modify comments created by other board members without restriction. An authorized attacker can alter or tamper with comments from colleagues, potentially modifying project records, discussions, or audit trails. With a CVSS score of 4.3 and low attack complexity, this represents a moderate integrity risk in collaborative environments where comment authenticity is important, though exploitation requires prior authentication and editor-level access.

Technical ContextAI

The vulnerability exists in Mattermost Plugins, a collaborative workspace platform that handles comment and board management functionality. The root cause is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that the application fails to properly validate whether a user has authorization to modify specific comment objects before allowing the modification operation to proceed. The affected versions include Mattermost Plugins 11.3, 11.0.3, 11.2.2, and 10.10.11.0 across multiple release branches. The vulnerability specifically impacts the comment block modification subsystem, where authorization logic either does not exist or can be bypassed by users holding editor permissions, potentially through object reference manipulation or insufficient ownership/creator checks at the API or business logic layer.

RemediationAI

Upgrade Mattermost Plugins to a patched version released after advisory MMSA-2025-00559 was published; consult the Mattermost security bulletin for the specific minimum patched version number for your release branch (e.g., if running 11.x, upgrade to the next available 11.x patch or migrate to a stable later branch). Until patching can be applied, implement compensating controls by restricting editor permissions to only trusted users, disabling board comment modification features if not essential, and enabling audit logging on all comment modifications to detect unauthorized changes after the fact. Additionally, consider role-based access controls that limit who can be granted editor permissions in the first place.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-2461 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy