Mattermost 11.5.1 / 10.11.13: Edit-Window Bypass via Post API
CVE-2026-4053 Published on May 15, 2026
post edit time limit is not enforced on some post update operations
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints.. Mattermost Advisory ID: MMSA-2026-00631
Vulnerability Analysis
CVE-2026-4053 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Operation on a Resource after Expiration or Release
The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Products Associated with CVE-2026-4053
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Version 11.5.0, <= 11.5.1 is affected.
- Version 10.11.0, <= 10.11.13 is affected.
- Version 11.6.0 is unaffected.
- Version 11.5.2 is unaffected.
- Version 10.11.14 is unaffected.