CVE-2026-21386

MEDIUM

Private channel enumeration via /mute slash command

Title source: cna

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 4.3

EPSS 0.0004

EPSS Percentile 11.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-203

Status published

Products (10)

mattermost/mattermost 0 - 8.0.0-20260130144323-5bb5261c72faGo

Mattermost/Mattermost 10.11.0 - 10.11.10

Mattermost/Mattermost 10.11.11

Mattermost/Mattermost 11.2.0 - 11.2.2

Mattermost/Mattermost 11.2.3

Mattermost/Mattermost 11.3.0

Mattermost/Mattermost 11.3.1

Mattermost/Mattermost 11.4.0

mattermost/mattermost-server 0 - 5.3.2-0.20260130144323-5bb5261c72faGo

mattermost/mattermost_server 10.11.0 - 10.11.11

Published Mar 16, 2026

Tracked Since Mar 16, 2026