CVE-2026-10103 PUBLISHED

Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels

Assigner: Mattermost
Reserved: 29.05.2026 Published: 13.07.2026 Updated: 13.07.2026

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Product Status

Vendor Mattermost
Product Mattermost
Versions Default: unaffected
  • affected from 11.7.0 to 11.7.2 (incl.)
  • affected from 11.6.0 to 11.6.4 (incl.)
  • affected from 10.11.0 to 10.11.19 (incl.)
  • Version 11.8.0 is unaffected
  • Version 11.7.3 is unaffected
  • Version 11.6.5 is unaffected
  • Version 10.11.20 is unaffected

Solutions

Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher.

Credits

  • ratrarity finder

References

Problem Types

  • CWE-639: Authorization Bypass Through User-Controlled Key CWE