{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-24692","assignerOrgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","state":"PUBLISHED","assignerShortName":"Mattermost","dateReserved":"2026-02-13T10:01:31.964Z","datePublished":"2026-03-16T14:56:45.323Z","dateUpdated":"2026-03-16T18:19:26.675Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Mattermost","vendor":"Mattermost","versions":[{"lessThanOrEqual":"11.3.0","status":"affected","version":"11.3.0","versionType":"semver"},{"lessThanOrEqual":"11.2.2","status":"affected","version":"11.2.0","versionType":"semver"},{"lessThanOrEqual":"10.11.10","status":"affected","version":"10.11.0","versionType":"semver"},{"version":"11.4.0","status":"unaffected"},{"version":"11.3.1","status":"unaffected"},{"version":"11.2.3","status":"unaffected"},{"version":"10.11.11","status":"unaffected"}]}],"credits":[{"lang":"en","type":"finder","value":"0x7oda7123"}],"descriptions":[{"lang":"en","value":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554"}],"metrics":[{"cvssV3_1":{"attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseSeverity":"MEDIUM","baseScore":4.3},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","description":"CWE-863: Incorrect Authorization","cweId":"CWE-863"}]}],"references":[{"url":"https://mattermost.com/security-updates","name":"MMSA-2025-00554","tags":["vendor-advisory"]}],"solutions":[{"value":"Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.","lang":"en"}],"source":{"advisory":"MMSA-2025-00554","defect":["https://mattermost.atlassian.net/browse/MM-66495"],"discovery":"EXTERNAL"},"title":"Guest users can bypass read permissions via search API","providerMetadata":{"orgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","shortName":"Mattermost","dateUpdated":"2026-03-16T14:56:45.323Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-16T18:19:16.496068Z","id":"CVE-2026-24692","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-16T18:19:26.675Z"}}]}}