Description
Mattermost versions 10.11.x <= 10.11.10 Fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache reset or relogin.. Mattermost Advisory ID: MMSA-2026-00580
Published: 2026-03-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure of Private Channel Content
Action: Patch
AI Analysis

Impact

Mattermost server versions 10.11.x up to and including 10.11.10 fail to invalidate cached permalink preview data when a user loses channel access, which allows the user to view private channel content via previously cached previews until a cache reset or logout. The flaw results in unauthorized disclosure of private channel information and is classified as CWE-672.

Affected Systems

Mattermost Server is affected. The vulnerability exists in all 10.11.x releases through 10.11.10. Versions 10.11.11, 11.4.0, and all newer releases are not impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% shows a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog and there is no publicly documented exploit code. Attackers would need to have had prior access to the channel to obtain a permalink preview before the permission revocation.

Generated by OpenCVE AI on March 18, 2026 at 16:05 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.4.0, 10.11.11 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to version 10.11.11, 11.4.0, or any later releases.

Generated by OpenCVE AI on March 18, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Wed, 18 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 16 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 10.11.x <= 10.11.10 Fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache reset or relogin.. Mattermost Advisory ID: MMSA-2026-00580
Title Permalink Preview Information Disclosure After Permission Revocation
Weaknesses CWE-672
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-17T13:36:52.223Z

Reserved: 2026-01-29T15:19:16.856Z

Link: CVE-2026-1629

cve-icon Vulnrichment

Updated: 2026-03-17T13:36:45.620Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T21:16:19.727

Modified: 2026-03-18T13:56:22.443

Link: CVE-2026-1629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:47Z

Weaknesses