CVE-2026-21386
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mattermost | Mattermost | 11.3.0 <= 11.3.0 | affected |
| Mattermost | Mattermost | 11.2.0 <= 11.2.2 | affected |
| Mattermost | Mattermost | 10.11.0 <= 10.11.10 | affected |
| Mattermost | Mattermost | 11.4.0 | unaffected |
| Mattermost | Mattermost | 11.3.1 | unaffected |
| Mattermost | Mattermost | 11.2.3 | unaffected |
| Mattermost | Mattermost | 10.11.11 | unaffected |
Weaknesses
- CWE-203: CWE-203: Observable Discrepancy
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.