Primary

Context

Mattermost File Access Vulnerability via Crafted Boards API Requests

Vulnerability

Patched

A vulnerability exists in Mattermost versions 11.6.x through 11.6.0, 11.5.x through 11.5.3, 11.4.x through 11.4.4, and 10.11.x through 10.11.14. These versions fail to properly validate file ownership and access control, allowing authenticated users to access and download files belonging to other users or teams. This is achieved by sending crafted Boards API requests that include valid file IDs.

Impact

Exploitation of this vulnerability allows for unauthorized access to files, enabling an authenticated user to download files belonging to other users or teams.

Remediation

Users can upgrade to Mattermost versions 11.8.0, 11.7.1, or 10.11.18 to address this vulnerability.

Added: May 26, 2026, 4:23 PM

Updated: May 26, 2026, 4:23 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost File Access Vulnerability via Crafted Boards API Requests

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating