Vulnerability DatabaseCVE-2026-3637
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-3637
Published:May 18, 2026
Updated:June 11, 2026
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627
Affected Packages
https://github.com/mattermost/mattermost.git (GITHUB):
Affected version(s) >=v10.11.0 <v10.11.14
Fix Suggestion:
Update to version v10.11.14
https://github.com/mattermost/mattermost.git (GITHUB):
Affected version(s) >=v11.4.0 <v11.4.4
Fix Suggestion:
Update to version v11.4.4
https://github.com/mattermost/mattermost.git (GITHUB):
Affected version(s) >=v11.5.0 <v11.5.2
Fix Suggestion:
Update to version v11.5.2
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.11.0 <v10.11.14
Fix Suggestion:
Update to version v10.11.14
github.com/mattermost/mattermost (GO):
Affected version(s) >=v11.4.0 <v11.4.4
Fix Suggestion:
Update to version v11.4.4
github.com/mattermost/mattermost/server/v8 (GO):
Affected version(s) >=v8.0.0-20230429093631-aac4f2337933 <v8.0.0-20260316171743-090408f09f53
Fix Suggestion:
Update to version v8.0.0-20260316171743-090408f09f53
github.com/mattermost/mattermost (GO):
Affected version(s) >=v11.5.0 <v11.5.2
Fix Suggestion:
Update to version v11.5.2
Related Resources (4)
https://github.com/mattermost/mattermost
https://nvd.nist.gov/vuln/detail/CVE-2026-3637
https://mattermost.com/security-updates
https://github.com/mattermost/mattermost/commit/090408f09f53ffc9afc6c65c7c7c1fd3a8cd22f3
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Missing Authorization
CWE-862
EPSS
Base Score:
0.03