CVE-2026-2461 - Vulnerability Analysis
MediumCVSS: 4.3Last Updated: March 16, 2026
Mattermost Plugins - Broken Access Control
Published: March 16, 2026Updated: March 16, 2026PoC AvailableRemote Exploitable
Overview
Mattermost Plugins <=11.3, 11.0.3, 11.2.2, 10.10.11.0 contain a broken access control caused by missing authorization checks on comment block modifications, letting authorized attackers with editor permissions modify others' comments.
Severity & Score
Severity: Medium
CVSS Score: 4.3
Impact
Authorized attackers with editor permissions can modify comments created by other users, leading to data tampering and potential misinformation.
Mitigation
Update to the latest version beyond 11.3 or apply vendor patches addressing authorization checks.
References
Related Resources
Details
- CVE ID
- CVE-2026-2461
- Severity
- Medium
- CVSS Score
- 4.3
- Type
- broken_access_control
- Status
- unconfirmed
CWE
- CWE-639
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N