Mattermost Plugins <=11.3 Auth Checks Missing on Comment Mods
CVE-2026-2461 Published on March 16, 2026
Missing authorization check allows unauthorized modification of other users' comments on a board
Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559
Vulnerability Analysis
CVE-2026-2461 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-2461 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Products Associated with CVE-2026-2461
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Before and including 11.0.3 is affected.
- Before and including 11.2.2 is affected.
- Before and including 10.10.11 is affected.
- Version 11.4.0 is unaffected.
- Version 11.3.1 is unaffected.
- Version 11.2.3 is unaffected.
- Version 10.11.11 is unaffected.