Description
Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579
Published: 2026-03-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

Mattermost versions 11.3.x up to and including 11.3.0 incorrectly handle the deletion of burn-on-read posts; the system does not preserve the redacted state when the post is removed, causing the original message contents to be sent to channel members via the WebSocket post deletion event. This flaw allows any channel member to view unrevealed content that should have remained hidden, constituting a clear information disclosure. The weakness is categorized as CWE-201 Information Exposure Through an Insufficiently Protected Output Mechanism.

Affected Systems

The affected product is Mattermost Mattermost Server. Vulnerable releases include all 11.3.x versions where the latest is 11.3.0 or earlier. The vendor guidance specifies that updating to 11.4.0, 11.3.1 or a later equivalent release resolves the issue.

Risk and Exploitability

The CVSS score of 4.3 indicates a modest level of risk. The EPSS score is reported as less than 1%, implying that exploitation frequency is low, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires the attacker to be a member of the channel and to trigger the deletion of a burn‑on‑read post; once triggered, the original message is exposed to all members via the WebSocket event. As the impact is limited to disclosure of message content, the overall risk is moderate, but remediation is recommended promptly.

Generated by OpenCVE AI on March 18, 2026 at 18:27 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.4.0, 11.3.1 or higher.

OpenCVE Recommended Actions

  • Apply the official Mattermost patch by updating to version 11.4.0, 11.3.1 or higher.

Generated by OpenCVE AI on March 18, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3rhr-jr63-hwq5 Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost server
Vendors & Products Mattermost server

Wed, 18 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost
Mattermost mattermost Server

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579
Title Information Disclosure via WebSocket Event When Deleting Unrevealed Burn on Read Posts
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mattermost Mattermost Server Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-16T13:49:55.812Z

Reserved: 2026-02-16T10:09:16.281Z

Link: CVE-2026-2578

cve-icon Vulnrichment

Updated: 2026-03-16T13:43:46.276Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:30.840

Modified: 2026-03-18T17:42:38.763

Link: CVE-2026-2578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:32Z

Weaknesses