What is GHSA-v549-xx3c-6pc8?

GHSA-v549-xx3c-6pc8 is a security advisory published by GitHub Security Advisories with Medium severity. Mattermost doesn't check the create_post channel permission during post edit operations

Which CVE IDs does GHSA-v549-xx3c-6pc8 cover?

GHSA-v549-xx3c-6pc8 covers the following CVE IDs: CVE-2026-3637. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-v549-xx3c-6pc8?

GHSA-v549-xx3c-6pc8 has a CVSS v3 base score of 4.3, published by GitHub Security Advisories.

Which products are affected by GHSA-v549-xx3c-6pc8?

GHSA-v549-xx3c-6pc8 affects 5 products, including: go/github.com/mattermost/mattermost/server/v8:\u003e= 10.11.0, \u003c 10.11.14; go/github.com/mattermost/mattermost/server/v8:\u003e= 11.4.0, \u003c 11.4.4; go/github.com/mattermost/mattermost/server/v8:\u003c 8.0.0-20260316171743-090408f09f53; go/github.com/mattermost/mattermost/server/v8:\u003e= 11.5.0, \u003c 11.5.2; go/github.com/mattermost/mattermost-server:\u003c 5.3.2-0.20260316171743-090408f09f53.

GHSA-v549-xx3c-6pc8MediumCVSS 4.3

Mattermost doesn't check the create_post channel permission during post edit operations

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

June 1, 2026

🔗 CVE IDs covered (1)

CVE-2026-3637 →

📋 Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627

🎯 Affected products5

go/github.com/mattermost/mattermost/server/v8:>= 10.11.0, < 10.11.14
go/github.com/mattermost/mattermost/server/v8:>= 11.4.0, < 11.4.4
go/github.com/mattermost/mattermost/server/v8:< 8.0.0-20260316171743-090408f09f53
go/github.com/mattermost/mattermost/server/v8:>= 11.5.0, < 11.5.2
go/github.com/mattermost/mattermost-server:< 5.3.2-0.20260316171743-090408f09f53

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products5

🔗 References (4)