Mattermost doesn't check the create_post channel permission during post edit operations

GHSA-v549-xx3c-6pc8 · CVE-2026-3637

Published May 18, 2026 · Modified Jun 1, 2026

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-3637
WEB https://github.com/mattermost/mattermost/commit/090408f09f53ffc9afc6c65c7c7c1fd3a8cd22f3
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes