Untriaged
Permalink
CVE-2026-10103
4.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689
References
-
MMSA-2026-00689 vendor-advisory
Affected products
Mattermost
- =<11.6.4
- ==11.6.5
- ==11.8.0
- ==11.7.3
- ==10.11.20
- =<10.11.19
- =<11.7.2
Matching in nixpkgs
pkgs.mattermost
Open source platform for secure collaboration across the entire software development lifecycle
pkgs.mattermostLatest
Open source platform for secure collaboration across the entire software development lifecycle
pkgs.mattermost-desktop
Mattermost Desktop client
pkgs.python313Packages.mattermostdriver
Python Mattermost Driver
Package maintainers
-
@mgdelacroix Miguel de la Cruz <mgdelacroix@gmail.com>
-
@numinit Morgan Jones <me+nixpkgs@numin.it>
-
@ryantm Ryan Mulligan <ryan@ryantm.com>
-
@liff Olli Helenius <liff@iki.fi>
-
@jokogr Ioannis Koutras <ioannis.koutras@gmail.com>
-
@yayayayaka Yaya <github@uwu.is>