Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
CVE-2024-50052: Mattermost: Authenticated users can delete posts from other users
GHSA-g376-m3h3-mj4r
CVE-2024-50052
Summary
Mattermost versions 9.10.x through 9.10.2, 9.11.x through 9.11.1, and 9.5.x through 9.5.9 allow an authenticated user to delete posts from any other user. This could be used to delete sensitive or important posts. To fix this, update to a patched version of Mattermost.
What to do
- Update github.com mattermost to version 8.0.0-20240926115259-20ed58906adc.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| go | github.com | mattermost |
< 8.0.0-20240926115259-20ed58906adc Fix: upgrade to 8.0.0-20240926115259-20ed58906adc
|
| – | mattermost | mattermost_server |
>= 9.5.0, < 9.5.10 >= 9.10.0, < 9.10.3 >= 9.11.0, < 9.11.2 cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* |
Original title
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an ...
Original description
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.
ghsa CVSS3.1
4.3
ghsa CVSS4.0
5.3
Vulnerability type
CWE-862
Missing Authorization
Published: 29 Oct 2024 · Updated: 15 Jun 2026 · First seen: 6 Mar 2026