Cyber Resilience

CVE-2026-2457

Medium

Published: 16 March 2026

Published
16 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0011 1.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2457 is a medium-severity Origin Validation Error (CWE-346) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Impersonation (T1684.001); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost…

more

Advisory ID: MMSA-2025-00569

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
Why these techniques?

Vulnerability directly enables spoofing of embeds to impersonate other users in posts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

mattermost
mattermost server
10.11.0 — 10.11.11 · 11.2.0 — 11.2.3 · 11.3.0 — 11.3.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-346

Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction.

addresses: CWE-346

Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.

addresses: CWE-346

Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.

addresses: CWE-346

Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.

addresses: CWE-346

Mandates origin validation so that only legitimate endpoints can continue the authenticated session.

References