Permission Misconfiguration in Mattermost Allows Unauthorized Access
CVE-2026-3113

5MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-3113?

Multiple versions of Mattermost exhibit a permissions misconfiguration in their bulk export functionality. Specifically, users on the same server can access the contents of bulk exports that they should not have permission to read. This flaw affects Mattermost versions 11.4.x up to and including 11.4.0, 11.3.x up to and including 11.3.1, 11.2.x up to and including 11.2.3, and 10.11.x up to and including 10.11.11. Server administrators must take immediate action to safeguard sensitive data from unauthorized access.

Affected Version(s)

Mattermost 11.4.0

Mattermost 11.3.0 <= 11.3.1

Mattermost 11.2.0 <= 11.2.3

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Feb 24, 2026

Credit

winfunc

CVE-2026-3113 Data

JSON