CVE-2026-10103

Source
https://cve.org/CVERecord?id=CVE-2026-10103
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10103.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10103
Downstream
Published
2026-07-13T07:57:11.062Z
Modified
2026-07-16T03:48:14.768048682Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels
Details

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10103.json",
    "cwe_ids": [
        "CWE-639"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "11.7.0"
                },
                {
                    "last_affected": "11.7.2"
                },
                {
                    "introduced": "11.6.0"
                },
                {
                    "last_affected": "11.6.4"
                },
                {
                    "introduced": "10.11.0"
                },
                {
                    "last_affected": "10.11.19"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "Mattermost"
}
References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "10.11.0"
        },
        {
            "fixed": "10.11.20"
        },
        {
            "introduced": "11.6.0"
        },
        {
            "fixed": "11.6.5"
        },
        {
            "introduced": "11.7.0"
        },
        {
            "fixed": "11.7.3"
        }
    ],
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*"
}

Affected versions

@mattermost/client@10.*
@mattermost/client@10.11.0
@mattermost/client@11.*
@mattermost/client@11.7.0
@mattermost/shared@11.*
@mattermost/shared@11.7.0
@mattermost/types@10.*
@mattermost/types@10.11.0
@mattermost/types@11.*
@mattermost/types@11.7.0
mattermost-redux@10.*
mattermost-redux@10.11.0
mattermost-redux@11.*
mattermost-redux@11.7.0
v10.*
v10.11.0
v10.11.0-rc3
v10.11.1
v10.11.1-rc1
v10.11.10
v10.11.11
v10.11.11-rc1
v10.11.11-rc2
v10.11.12
v10.11.13
v10.11.13-rc1
v10.11.14
v10.11.14-rc1
v10.11.15
v10.11.15-rc1
v10.11.16
v10.11.17
v10.11.18
v10.11.19
v10.11.19-rc1
v10.11.2
v10.11.2-rc1
v10.11.2-rc2
v10.11.3
v10.11.4
v10.11.4-rc1
v10.11.4-rc2
v10.11.4-rc3
v10.11.5
v10.11.6
v10.11.7
v10.11.8
v10.11.9
v10.11.9-rc1
v11.*
v11.6.0
v11.6.1
v11.6.1-rc1
v11.6.2
v11.6.3
v11.6.4
v11.7.0
v11.7.1
v11.7.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10103.json"