Mattermost fails to properly enforce read permissions in search API endpoints

GHSA-cwfj-642j-gfh4 · CVE-2026-24692 · GO-2026-4745

Published Mar 16, 2026 · Modified Mar 23, 2026

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-24692
WEB https://github.com/mattermost/mattermost/commit/0481bd1fb04584db97eca45fd58ebd06c8200df4
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes