CVE-2026-24692

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.0 through 10.11.10 Mattermost versions 11.2.0 through 11.2.2 Mattermost versions 11.3.0

Description Mattermost does not correctly enforce read permissions in the search API endpoints. This allows guest users without read permissions to access posts and files in channels by making requests to the search API. The vulnerable API endpoints are not explicitly specified. The search API is affected. The vulnerable parameter is not specified.

Recommendations Mattermost versions 10.11.0 through 10.11.10 should be updated. Mattermost versions 11.2.0 through 11.2.2 should be updated. Mattermost version 11.3.0 should be updated.

Fix

Improper Access Control

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-863

Related Identifiers

BDU:2026-06561

CVE-2026-24692

GHSA-CWFJ-642J-GFH4

GO-2026-4745

SUSE-SU-2026:1135-1

Affected Products

Mattermost

CVE-2026-24692

Weakness Enumeration

Related Identifiers

Affected Products

References · 151