CVE-2026-24692 PUBLISHED

Guest users can bypass read permissions via search API

Assigner: Mattermost
Reserved: 13.02.2026 Published: 16.03.2026 Updated: 16.03.2026

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Product Status

Vendor Mattermost
Product Mattermost
Versions Default: unaffected
  • affected from 11.3.0 to 11.3.0 (incl.)
  • affected from 11.2.0 to 11.2.2 (incl.)
  • affected from 10.11.0 to 10.11.10 (incl.)
  • Version 11.4.0 is unaffected
  • Version 11.3.1 is unaffected
  • Version 11.2.3 is unaffected
  • Version 10.11.11 is unaffected

Solutions

Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.

Credits

  • 0x7oda7123 finder

References

Problem Types

  • CWE-863: Incorrect Authorization CWE