{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3amattermostmattermost_server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.9,"id":"CVE-2026-3473"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mattermost Server"],"_cs_severities":["medium"],"_cs_tags":["cve","vulnerability","mattermost","authorization bypass"],"_cs_type":"threat","_cs_vendors":["Mattermost Inc."],"content_html":"\u003cp\u003eMattermost, a popular open-source collaboration platform, is vulnerable to an authorization bypass issue. CVE-2026-3473 affects Mattermost Server versions 11.6.x \u0026lt;= 11.6.0, 11.5.x \u0026lt;= 11.5.3, 11.4.x \u0026lt;= 11.4.4, and 10.11.x \u0026lt;= 10.11.14. This vulnerability stems from a failure to properly validate file ownership and access control. An authenticated user can exploit this flaw to gain unauthorized access to and download files belonging to other users or teams. The attack is carried out via crafted Boards API requests utilizing valid file IDs. This vulnerability is identified by Mattermost Advisory ID MMSA-2026-00620. Successful exploitation can lead to sensitive data exposure and potential compromise of confidential information within the Mattermost environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to a vulnerable Mattermost server.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a valid file ID belonging to another user or team.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Boards API request.\u003c/li\u003e\n\u003cli\u003eThe crafted API request includes the valid file ID of the target file.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Mattermost server fails to properly validate file ownership and access control.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe server grants the attacker access to the file.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully downloads the file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3473 allows an authenticated user to access and download files belonging to other users or teams within the Mattermost instance. This could lead to the unauthorized disclosure of sensitive information, including confidential documents, private communications, and other proprietary data. The impact is significant for organizations that rely on Mattermost for secure internal communication and collaboration. The number of affected installations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Mattermost Server to a patched version (later than 11.6.0, 11.5.3, 11.4.4, or 10.11.14) to remediate CVE-2026-3473 as per the vendor advisory.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for unusual activity related to the Boards API, specifically requests attempting to access files using file IDs (cs-uri-stem|contains: \u0026ldquo;/api/v1/boards\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect suspicious access to the Boards API.\u003c/li\u003e\n\u003cli\u003eEnforce strict file access control policies within Mattermost to limit the potential impact of similar vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:30:28Z","date_published":"2026-05-26T13:30:28Z","id":"https://feed.craftedsignal.io/briefs/2026-05-mattermost-file-access/","summary":"Mattermost versions 11.6.x \u003c= 11.6.0, 11.5.x \u003c= 11.5.3, 11.4.x \u003c= 11.4.4, 10.11.x \u003c= 10.11.14 fail to validate file ownership and access control, allowing an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.","title":"Mattermost File Access Vulnerability (CVE-2026-3473)","url":"https://feed.craftedsignal.io/briefs/2026-05-mattermost-file-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}