CVE-2026-2578

Summary

Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.3.0 <= 11.3.0affected
MattermostMattermost11.4.0unaffected
MattermostMattermost11.3.1unaffected

Weaknesses

  • CWE-201: CWE-201: Insertion of Sensitive Information Into Sent Data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References