CVE-2026-3473

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2026-3473

Affected Products

Mattermost

CVE-2026-3473

Weakness Enumeration

Related Identifiers

Affected Products

References · 1