Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields

GHSA-hw87-6jcq-9f8q · CVE-2026-4053

Published May 15, 2026 · Modified May 28, 2026

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints. Mattermost Advisory ID: MMSA-2026-00631.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-4053
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes