Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API endpoints.. Mattermost Advisory ID: MMSA-2026-00626
Published: 2026-05-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Attackers can query the Mattermost API to retrieve detailed role information for team members even when they lack elevated permissions. The flaw arises because the system fails to sanitize the data returned by these endpoints. Consequently, an unauthenticated or lower-privileged user can learn the roles of any team member. This data leakage can enable social engineering, insider threat planning, or targeted exploits against privileged accounts.

Affected Systems

Versions of Mattermost from 10.11.x up to 10.11.14, 11.4.x up to 11.4.4, 11.5.x up to 11.5.3, and 11.6.x up to 11.6.0 are affected. The vendor recommends upgrading to 10.11.15 or newer, 11.4.5 or newer, 11.5.4 or newer, 11.6.1 or newer, or 11.7.0 or newer.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate risk. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited exploitation evidence. The attack vector is inferred to be remote via the public API; a user with network access can invoke the endpoints and capture role data. Because the vulnerability is an information disclosure rather than a code execution flaw, immediate patching mitigates the risk.

Generated by OpenCVE AI on May 22, 2026 at 12:50 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to the patched versions listed in the vendor advisory.
  • Restrict the use of the team member API endpoints to privileged users by updating role-based access controls.
  • Enable logging and monitoring of API requests to detect unauthorized attempts to retrieve role data.

Generated by OpenCVE AI on May 22, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon
History

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 22 May 2026 11:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API endpoints.. Mattermost Advisory ID: MMSA-2026-00626
Title Sanitize team member data returned by API
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-22T12:13:43.868Z

Reserved: 2026-03-06T09:40:10.820Z

Link: CVE-2026-3636

cve-icon Vulnrichment

Updated: 2026-05-22T12:13:39.934Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T13:00:13Z

Weaknesses