Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-10103— Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels

CVSS 4.3 · Medium EPSS 0.14% · P4

Possible ATT&CK Techniques 1AI

T1133 · External Remote Services

Affected Version Matrix 7

VendorProductVersion RangeStatus
MattermostMattermost11.7.0≤ 11.7.2affected
11.6.0≤ 11.6.4affected
10.11.0≤ 10.11.19affected
11.8.0unaffected
11.7.3unaffected
11.6.5unaffected
10.11.20unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-10103

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels
Source: NVD (National Vulnerability Database)
Vulnerability Description
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
MattermostMattermost 11.7.0 ~ 11.7.2 -

II. Public POCs for CVE-2026-10103

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-10103

登录查看更多情报信息。

Same Patch Batch · Mattermost · 2026-07-13 · 10 CVEs total

CVE-2026-68506.5 MEDIUMCrafted message attachment causes client-side denial of service via markdown parser regex
CVE-2026-101066.5 MEDIUMUnauthorized users can trigger interactive post actions in private channels via action coo
CVE-2026-95715.9 MEDIUMDeactivated user accounts can continue to obtain valid OAuth access tokens via refresh tok
CVE-2026-95975.4 MEDIUMDeactivated guest accounts can authenticate via magic-link token in Mattermost REST API lo
CVE-2026-100855.4 MEDIUMOrdinary group/direct message member can enable group_constrained and remove all channel p
CVE-2026-97084.9 MEDIUMIncoming webhook user attribution via unvalidated webhook owner
CVE-2026-65414.3 MEDIUMUnscoped updates to other playbooks' metric configuration
CVE-2026-98244.3 MEDIUMRemote cluster metadata enumeration via /share-channel autocomplete
CVE-2026-98203.8 LOWMattermost schemes teams endpoint exposes private team invite IDs

IV. Related Vulnerabilities

V. Comments for CVE-2026-10103

No comments yet


Leave a comment