Description
Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636
Published: 2026-05-18
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability causes the burn‑on‑read reveal endpoint to ignore the X-Requested-With request header. An authenticated member of the channel can embed a malicious Markdown image tag that triggers the endpoint, forcing the message to be revealed to the actor without the original recipient’s consent. The attacker obtains the full message contents that were otherwise hidden, which is a direct confidentiality breach for the channel members.

Affected Systems

Mattermost, versions 11.5.x up to 11.5.1 and 11.4.x up to 11.4.3 are affected. Upgrading to 11.6.0, 11.5.2, or 11.4.4 and later removes the flaw.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, so while exploitation likelihood is not quantified, the vulnerability can be abused by any authorized channel member. The required conditions are user authentication, channel membership, and the presence of a burn‑on‑read message; the attacker crafts a Markdown image tag to trigger the endpoint. The attack vector is remote, client‑side, and requires no elevated privileges beyond ordinary channel membership.

Generated by OpenCVE AI on May 18, 2026 at 10:25 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 11.4.4 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to a patched release (11.6.0, 11.5.2, 11.4.4 or later).
  • Disable the burn‑on‑read feature in channels that store sensitive information until the update is applied.
  • Monitor API traffic for the burn‑on‑read endpoint and block requests lacking a proper X-Requested-With header if possible.

Generated by OpenCVE AI on May 18, 2026 at 10:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636
Title Missing request origin validation on burn-on-read reveal endpoint
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T08:05:30.925Z

Reserved: 2026-04-15T10:27:52.835Z

Link: CVE-2026-6339

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T09:16:23.573

Modified: 2026-05-18T09:16:23.573

Link: CVE-2026-6339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:30:23Z

Weaknesses