CVE-2026-3115

MEDIUM

Guest users can view group member IDs without respecting view restrictions

Title source: cna

Description

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 9.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (12)

Mattermost/Mattermost 10.11.0 - 10.11.10

Mattermost/Mattermost 10.11.11

Mattermost/Mattermost 11.2.0 - 11.2.2

Mattermost/Mattermost 11.2.3

Mattermost/Mattermost 11.3.0 - 11.3.1

Mattermost/Mattermost 11.3.2

Mattermost/Mattermost 11.4.0

mattermost/mattermost 11.4.0 - 11.4.1Go

Mattermost/Mattermost 11.4.1

Mattermost/Mattermost 11.5.0

... and 2 more

Published Mar 26, 2026

Tracked Since Mar 26, 2026