CVE-2026-6339 - Vulnerability Details

- Missing request origin validation on burn-on-read reveal endpoint

Description

Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636

Published: 2026-05-18

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability causes the burn‑on‑read reveal endpoint to ignore the X-Requested-With request header. An authenticated member of the channel can embed a malicious Markdown image tag that triggers the endpoint, forcing the message to be revealed to the actor without the original recipient’s consent. The attacker obtains the full message contents that were otherwise hidden, which is a direct confidentiality breach for the channel members.

Affected Systems

Mattermost, versions 11.5.x up to 11.5.1 and 11.4.x up to 11.4.3 are affected. Upgrading to 11.6.0, 11.5.2, or 11.4.4 and later removes the flaw.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, so while exploitation likelihood is not quantified, the vulnerability can be abused by any authorized channel member. The required conditions are user authentication, channel membership, and the presence of a burn‑on‑read message; the attacker crafts a Markdown image tag to trigger the endpoint. The attack vector is remote, client‑side, and requires no elevated privileges beyond ordinary channel membership.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mattermost

unaffected

Version	Status	Constraints
`11.5.0`	affected	≤ 11.5.1
`11.4.0`	affected	≤ 11.4.3
`11.6.0`	unaffected	—
`11.5.2`	unaffected	—
`11.4.4`	unaffected	—

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::

No data.

Vendor Product Confidence Versions

Mattermost

100%

Version	Status	Scheme	Platform
`[11.5.0,11.5.1]`	affected	semver	—
`[11.4.0,11.4.3]`	affected	semver	—
`11.6.0`	unaffected	semver	—
`11.5.2`	unaffected	semver	—
`11.4.4`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 11.4.4 or higher.

OpenCVE Recommended Actions

Upgrade Mattermost to a patched release (11.6.0, 11.5.2, 11.4.4 or later).
Disable the burn‑on‑read feature in channels that store sensitive information until the update is applied.
Monitor API traffic for the burn‑on‑read endpoint and block requests lacking a proper X-Requested-With header if possible.

Generated by OpenCVE AI on May 18, 2026 at 10:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-xvcx-mgpc-5xh3	Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://mattermost.com/security-updates

History

Mon, 18 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost mattermost Server
CPEs		cpe:2.3:a:mattermost:mattermost_server::::::::
Vendors & Products		Mattermost mattermost Server

Mon, 18 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 18 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost
Vendors & Products		Mattermost Mattermost mattermost

Mon, 18 May 2026 09:00:00 +0000

Type	Values Removed	Values Added
Description		Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636
Title		Missing request origin validation on burn-on-read reveal endpoint
Weaknesses		CWE-346
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Mattermost Mattermost Mattermost Server

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2026-05-18T08:05:30.925Z

Updated: 2026-05-18T12:42:01.321Z

Reserved: 2026-04-15T10:27:52.835Z

Link: CVE-2026-6339

Vulnrichment

Updated: 2026-05-18T12:41:57.464Z

NVD

Status : Analyzed

Published: 2026-05-18T09:16:23.573

Modified: 2026-05-18T19:11:13.940

Link: CVE-2026-6339

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-18T10:30:23Z

Weaknesses

CWE-346
Origin Validation Error

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object