Moderate severityNVD Advisory· Published Mar 16, 2026· Updated Mar 16, 2026

Missing authorization check allows unauthorized modification of other users' comments on a board

CVE-2026-2461

Description

Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/mattermost/mattermost-plugin-boardsGo	< 0.0.0-20260108044135-57c5be5b6ef5	0.0.0-20260108044135-57c5be5b6ef5

Affected products

Mattermost/Mattermostv5
Range: 0

Patches

57c5be5b6ef5

Validation to modify comments (#152)

https://github.com/mattermost/mattermost-plugin-boardsRajat DabadeJan 8, 2026via ghsa

commit

2 files changed · +23 −2

server/api/blocks.go+13 −0 modified

@@ -570,6 +570,13 @@ func (a *API) handlePatchBlock(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if block.Type == model.TypeComment && block.CreatedBy != userID {
+		if !a.permissions.HasPermissionToBoard(userID, boardID, model.PermissionDeleteOthersComments) {
+			a.errorResponse(w, r, model.NewErrPermission("access denied to modify others' comments"))
+			return
+		}
+	}
+
 	requestBody, err := io.ReadAll(r.Body)
 	if err != nil {
 		a.errorResponse(w, r, err)
@@ -674,6 +681,12 @@ func (a *API) handlePatchBlocks(w http.ResponseWriter, r *http.Request) {
 			a.errorResponse(w, r, model.NewErrPermission("access denied to make board changesa"))
 			return
 		}
+		if block.Type == model.TypeComment && block.CreatedBy != userID {
+			if !a.permissions.HasPermissionToBoard(userID, block.BoardID, model.PermissionDeleteOthersComments) {
+				a.errorResponse(w, r, model.NewErrPermission("access denied to modify others' comments"))
+				return
+			}
+		}
 	}
 
 	err = a.app.PatchBlocksAndNotify(teamID, patches, userID, disableNotify)

server/services/store/sqlstore/blocks.go+10 −2 modified

@@ -265,6 +265,14 @@ func (s *SQLStore) insertBlock(db sq.BaseRunner, block *model.Block, userID stri
 			"board_id",
 		)
 
+	// Preserve the original creator when updating an existing block
+	createdBy := userID
+	createAt := utils.GetMillis()
+	if existingBlock != nil {
+		createdBy = existingBlock.CreatedBy
+		createAt = existingBlock.CreateAt
+	}
+
 	insertQueryValues := map[string]interface{}{
 		"channel_id":            "",
 		"id":                    block.ID,
@@ -274,9 +282,9 @@ func (s *SQLStore) insertBlock(db sq.BaseRunner, block *model.Block, userID stri
 		"title":                 block.Title,
 		"fields":                fieldsJSON,
 		"delete_at":             block.DeleteAt,
-		"created_by":            userID,
+		"created_by":            createdBy,
 		"modified_by":           block.ModifiedBy,
-		"create_at":             utils.GetMillis(),
+		"create_at":             createAt,
 		"update_at":             block.UpdateAt,
 		"board_id":              block.BoardID,
 	}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hf8w-x9h5-5gf9ghsaADVISORY
mattermost.com/security-updatesghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-2461ghsaADVISORY
github.com/mattermost/mattermost-plugin-boards/commit/57c5be5b6ef59d02dd72e35094d1fae8ba6e9619ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000