Mattermost <11.6 Access Control Bypass via Boards API
CVE-2026-3473 Published on May 22, 2026
Improper file ownership validation in the Boards API allows unauthorised file access
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620
Vulnerability Analysis
CVE-2026-3473 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-3473 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Products Associated with CVE-2026-3473
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Version 11.6.0, <= 11.6.0 is affected.
- Version 11.5.0, <= 11.5.3 is affected.
- Version 11.4.0, <= 11.4.4 is affected.
- Version 10.11.0, <= 10.11.14 is affected.
- Version 11.7.0 is unaffected.
- Version 11.6.1 is unaffected.
- Version 11.5.4 is unaffected.
- Version 11.4.5 is unaffected.
- Version 10.11.15 is unaffected.