Description
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616
Published: 2026-06-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows authenticated users with guest‑level access to receive role_updated websocket events for private teams or channels that the user is not a member of, revealing changes to permission schemes. This exposes sensitive operational information but does not enable direct code execution or data modification. The exposed data are notifications about team or channel permission changes, which could be used to map organizational structure or infer roles within the Mattermost instance. The flaw is identified as CWE‑200, Information Exposure.

Affected Systems

Mattermost version 11.6.x up to 11.6.1, 11.5.x up to 11.5.4, 10.11.x up to 10.11.15, and 10.11.x up to 10.11.16 are affected. The vulnerability exists in the Mattermost product offered by the vendor Mattermost.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. EPSS is not available, and the issue is not listed in CISA’s KEV catalog, suggesting a lower likelihood of widespread exploitation. However, the attack requires only an authenticated guest account and access to the websocket endpoint, so the potential risk of sensitive information disclosure is present for any organization running the vulnerable versions.

Generated by OpenCVE AI on June 12, 2026 at 18:51 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to at least version 11.7.0, 11.6.2, 11.5.5, 10.11.16, or 10.11.17 or any later release.
  • After upgrading, check that role_updated events are no longer delivered to guest users by conducting a test with a guest account or reviewing server logs for event filtering.
  • If a patch cannot be applied immediately, configure the reverse proxy or firewall to block guest users from connecting to the websocket endpoint used for real‑time notifications, mitigating exposure until a patch is deployed.

Generated by OpenCVE AI on June 12, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 12 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616
Title Mattermost fails to scope role_updated websocket events to authorized team and channel members
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-12T17:19:49.970Z

Reserved: 2026-03-02T12:48:20.745Z

Link: CVE-2026-3433

cve-icon Vulnrichment

Updated: 2026-06-12T17:19:46.282Z

cve-icon NVD

Status : Received

Published: 2026-06-12T17:16:22.467

Modified: 2026-06-12T17:16:22.467

Link: CVE-2026-3433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:00:21Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor