Medium severity4.3NVD Advisory· Published May 18, 2026· Updated May 19, 2026
CVE-2026-3637
CVE-2026-3637
Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 10.11.0, < 10.11.14 | 10.11.14 |
github.com/mattermost/mattermost/server/v8Go | >= 11.4.0, < 11.4.4 | 11.4.4 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20260316171743-090408f09f53 | 8.0.0-20260316171743-090408f09f53 |
github.com/mattermost/mattermost/server/v8Go | >= 11.5.0, < 11.5.2 | 11.5.2 |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20260316171743-090408f09f53 | 5.3.2-0.20260316171743-090408f09f53 |
Affected products
2cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*range: >=10.11.0,<10.11.14
- (no CPE)range: <=11.5.1, <=10.11.13, <=11.4.3
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-v549-xx3c-6pc8ghsaADVISORY
- mattermost.com/security-updatesnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-3637ghsaADVISORY
- github.com/mattermost/mattermost/commit/090408f09f53ffc9afc6c65c7c7c1fd3a8cd22f3ghsaWEB
News mentions
0No linked articles in our index yet.