CVE-2026-4265

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.x through 10.11.10 Mattermost versions 11.2.x through 11.2.2 Mattermost versions 11.3.x through 11.3.0

Description Mattermost fails to properly validate team-specific upload permissions. This allows a guest user to post files in channels where they do not have upload permissions. The issue occurs by uploading files in a team where the user has permission, then reusing the file metadata in a POST request to a different team. The upload file permission is not correctly enforced across teams, leading to potential unauthorized file uploads.

Recommendations Update Mattermost to a version beyond 10.11.10. Update Mattermost to a version beyond 11.2.2. Update Mattermost to a version beyond 11.3.0.