{"api_version":"1","generated_at":"2026-07-16T03:04:54+00:00","cve":"CVE-2026-10103","urls":{"html":"https://cve.report/CVE-2026-10103","api":"https://cve.report/api/cve/CVE-2026-10103.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-10103","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-10103"},"summary":{"title":"Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels","description":"Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689","state":"PUBLISHED","assigner":"Mattermost","published_at":"2026-07-13 09:16:23","updated_at":"2026-07-14 15:16:54"},"problem_types":["CWE-639","CWE-639 CWE-639: Authorization Bypass Through User-Controlled Key"],"metrics":[{"version":"3.1","source":"responsibledisclosure@mattermost.com","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://mattermost.com/security-updates","name":"https://mattermost.com/security-updates","refsource":"responsibledisclosure@mattermost.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-10103","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-10103","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"affected 11.7.0 11.7.2 semver","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"affected 11.6.0 11.6.4 semver","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"affected 10.11.0 10.11.19 semver","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 11.8.0","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 11.7.3","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 11.6.5","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 10.11.20","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher.","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"ratrarity","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"10103","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mattermost","cpe5":"mattermost_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"10103","cve":"CVE-2026-10103","epss":"0.001450000","percentile":"0.041100000","score_date":"2026-07-14","updated_at":"2026-07-15 00:14:56"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-10103","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-14T14:18:49.512657Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-14T14:32:32.714Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Mattermost","vendor":"Mattermost","versions":[{"lessThanOrEqual":"11.7.2","status":"affected","version":"11.7.0","versionType":"semver"},{"lessThanOrEqual":"11.6.4","status":"affected","version":"11.6.0","versionType":"semver"},{"lessThanOrEqual":"10.11.19","status":"affected","version":"10.11.0","versionType":"semver"},{"status":"unaffected","version":"11.8.0"},{"status":"unaffected","version":"11.7.3"},{"status":"unaffected","version":"11.6.5"},{"status":"unaffected","version":"10.11.20"}]}],"credits":[{"lang":"en","type":"finder","value":"ratrarity"}],"descriptions":[{"lang":"en","value":"Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-639","description":"CWE-639: Authorization Bypass Through User-Controlled Key","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-13T07:57:11.062Z","orgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","shortName":"Mattermost"},"references":[{"name":"MMSA-2026-00689","tags":["vendor-advisory"],"url":"https://mattermost.com/security-updates"}],"solutions":[{"lang":"en","value":"Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher."}],"source":{"advisory":"MMSA-2026-00689","defect":["https://mattermost.atlassian.net/browse/MM-69056"],"discovery":"EXTERNAL"},"title":"Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","assignerShortName":"Mattermost","cveId":"CVE-2026-10103","datePublished":"2026-07-13T07:57:11.062Z","dateReserved":"2026-05-29T15:37:04.097Z","dateUpdated":"2026-07-14T14:32:32.714Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-13 09:16:23","lastModifiedDate":"2026-07-14 15:16:54","problem_types":["CWE-639","CWE-639 CWE-639: Authorization Bypass Through User-Controlled Key"],"metrics":{"cvssMetricV31":[{"source":"responsibledisclosure@mattermost.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-14T14:18:49.512657Z","id":"CVE-2026-10103","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"10.11.0","versionEndExcluding":"10.11.20","matchCriteriaId":"806B772A-4575-47F4-BD6B-7422C9045190"},{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"11.6.0","versionEndExcluding":"11.6.5","matchCriteriaId":"2B2D3A05-5A6F-4121-80BE-6DC87A30C354"},{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"11.7.0","versionEndExcluding":"11.7.3","matchCriteriaId":"61277B68-8856-4C8A-97CC-E37742682A4B"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"10103","Ordinal":"1","Title":"Authenticated remote cluster can modify or delete posts it does ","CVE":"CVE-2026-10103","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"10103","Ordinal":"1","NoteData":"Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689","Type":"Description","Title":"Authenticated remote cluster can modify or delete posts it does "}]}}}