Moderate severityNVD Advisory· Published Mar 16, 2026· Updated Mar 16, 2026
Guest users can bypass read permissions via search API
CVE-2026-24692
Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20260107142155-0481bd1fb045 | 8.0.0-20260107142155-0481bd1fb045 |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20260107142155-0481bd1fb045 | 5.3.2-0.20260107142155-0481bd1fb045 |
github.com/mattermost/mattermost-serverGo | >= 10.11.0-rc1, < 10.11.11 | 10.11.11 |
github.com/mattermost/mattermost-serverGo | >= 11.2.0-rc1, < 11.2.3 | 11.2.3 |
github.com/mattermost/mattermost-serverGo | >= 11.3.0-rc1, < 11.3.1 | 11.3.1 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 5.3.2-0.20260107142155-0481bd1fb045+ 2 more
- (no CPE)range: < 5.3.2-0.20260107142155-0481bd1fb045
- (no CPE)range: < 8.0.0-20260107142155-0481bd1fb045
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- Range: 11.3.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-cwfj-642j-gfh4ghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-24692ghsaADVISORY
- github.com/mattermost/mattermost/commit/0481bd1fb04584db97eca45fd58ebd06c8200df4ghsaWEB
News mentions
0No linked articles in our index yet.