CVE-2026-24692

Source
https://cve.org/CVERecord?id=CVE-2026-24692
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24692.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24692
Aliases
Downstream
Related
Published
2026-03-16T14:56:45.323Z
Modified
2026-07-08T07:48:30.047180500Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Guest users can bypass read permissions via search API
Details

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24692.json",
    "cna_assigner": "Mattermost",
    "cwe_ids": [
        "CWE-863"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "11.3.0"
                },
                {
                    "last_affected": "11.3.0"
                },
                {
                    "introduced": "11.2.0"
                },
                {
                    "last_affected": "11.2.2"
                },
                {
                    "introduced": "10.11.0"
                },
                {
                    "last_affected": "10.11.10"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost
Events
Database specific
{
    "cpe": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "10.11.0"
        },
        {
            "fixed": "10.11.11"
        },
        {
            "introduced": "11.2.0"
        },
        {
            "fixed": "11.2.3"
        },
        {
            "introduced": "11.3.0"
        },
        {
            "fixed": "11.3.1"
        }
    ]
}

Affected versions

@mattermost/client@10.*
@mattermost/client@10.11.0
@mattermost/client@11.*
@mattermost/client@11.3.0
@mattermost/types@10.*
@mattermost/types@10.11.0
@mattermost/types@11.*
@mattermost/types@11.3.0
mattermost-redux@10.*
mattermost-redux@10.11.0
mattermost-redux@11.*
mattermost-redux@11.3.0
v10.*
v10.11.0
v10.11.0-rc3
v10.11.1
v10.11.1-rc1
v10.11.10
v10.11.11-rc1
v10.11.2
v10.11.2-rc1
v10.11.2-rc2
v10.11.3
v10.11.4
v10.11.4-rc1
v10.11.4-rc2
v10.11.4-rc3
v10.11.5
v10.11.6
v10.11.7
v10.11.8
v10.11.9
v10.11.9-rc1
v11.*
v11.2.0
v11.2.1
v11.2.1-rc1
v11.2.2
v11.3.0
v11.3.0-rc3
v11.3.0-rc4
v11.3.1-rc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24692.json"