Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID: MMSA-2025-00568
Published: 2026-03-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability in Mattermost allows a removed team member to use the channel search API endpoint to enumerate all public channels within a private team. Because the system fails to properly validate team membership during channel searches, an attacker can retrieve the names of channels that belong to a private team, potentially leaking sensitive information about the team's structure and activity. This weakness is classified as CWE-862, Unauthorized Access to Privileged Information.

Affected Systems

Affected Mattermost Server versions are 11.3.x up to and including 11.3.0, 11.2.x up to and including 11.2.2, and 10.11.x up to and including 10.11.10. Versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 and later are not affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, further implying limited real-world exploitation. The likely attack vector is a remote, authenticated request to the channel search API; the attacker must already have a user account but not be a member of the target private team. No additional prerequisites or elevated privileges are required beyond the removed user’s credentials.

Generated by OpenCVE AI on March 18, 2026 at 19:39 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to any of the following versions: 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.

Generated by OpenCVE AI on March 18, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-679f-wmrg-qf57 Mattermost allows a removed team member to enumerate all public channels within a private team
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost server
Vendors & Products Mattermost server

Wed, 18 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost
Mattermost mattermost Server

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID: MMSA-2025-00568
Title Unauthorized channel enumeration in private teams after member removal
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mattermost Mattermost Server Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-16T13:49:57.631Z

Reserved: 2026-02-13T11:08:09.268Z

Link: CVE-2026-2458

cve-icon Vulnrichment

Updated: 2026-03-16T13:44:13.623Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:29.543

Modified: 2026-03-18T17:48:32.877

Link: CVE-2026-2458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:44Z

Weaknesses