CVE-2026-2457

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.3.0 and earlier Mattermost versions 11.2.2 and earlier Mattermost versions 10.11.10 and earlier

Description The software does not properly sanitize client-supplied post metadata. This allows an authenticated attacker to spoof permalink embeds, impersonating other users by sending crafted PUT requests to the post update API endpoint, ''/api/v1/posts/{post id}''. The vulnerable parameter is the post metadata within the PUT request.

Recommendations Update Mattermost to a version later than 11.3.0. Update Mattermost to a version later than 11.2.2. Update Mattermost to a version later than 10.11.10.

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-346

Related Identifiers

BDU:2026-06572

CVE-2026-2457

GHSA-PH22-FW5M-W2Q9

GO-2026-4732

SUSE-SU-2026:1135-1

Affected Products

Mattermost

CVE-2026-2457

Weakness Enumeration

Related Identifiers

Affected Products

References · 151