LOW 3.1

GHSA-hw87-6jcq-9f8q

Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields

Details

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints. Mattermost Advisory ID: MMSA-2026-00631.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/mattermost/mattermost-server

Introduced in: 11.5.0 Fixed in: 11.5.2

Fix go get github.com/mattermost/mattermost-server@v11.5.2

Go / github.com/mattermost/mattermost-server

Introduced in: 0.0.0-20250731163400-5b955468ea1e Fixed in: 0.0.0-20260414103857-b21ef302025e

Fix go get github.com/mattermost/mattermost-server@v0.0.0-20260414103857-b21ef302025e

References

https://nvd.nist.gov/vuln/detail/CVE-2026-4053 [ADVISORY]
https://github.com/mattermost/mattermost [PACKAGE]
https://mattermost.com/security-updates [WEB]