Loading market data...
← Back to CVE feed

CVE-2026-10103

MEDIUM CVSS 4.3 View on NVD ↗

Description

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected Products

mattermost/mattermost_server
Published: Jul 13, 2026 09:16 UTC Modified: Jul 13, 2026 22:01 UTC