Moderate severityNVD Advisory· Published Mar 16, 2026· Updated Mar 16, 2026
Private channel enumeration via /mute slash command
CVE-2026-21386
Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20260130144323-5bb5261c72fa | 8.0.0-20260130144323-5bb5261c72fa |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20260130144323-5bb5261c72fa | 5.3.2-0.20260130144323-5bb5261c72fa |
github.com/mattermost/mattermost-serverGo | >= 10.11.0-rc1, < 10.11.11 | 10.11.11 |
github.com/mattermost/mattermost-serverGo | >= 11.2.0-rc1, < 11.2.3 | 11.2.3 |
github.com/mattermost/mattermost-serverGo | >= 11.3.0-rc1, < 11.3.1 | 11.3.1 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 5.3.2-0.20260130144323-5bb5261c72fa+ 2 more
- (no CPE)range: < 5.3.2-0.20260130144323-5bb5261c72fa
- (no CPE)range: < 8.0.0-20260130144323-5bb5261c72fa
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- Range: 11.3.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-5mr9-crcg-8wh2ghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-21386ghsaADVISORY
- github.com/mattermost/mattermost/commit/5bb5261c72faa476558a694c23581d24b734da41ghsaWEB
News mentions
0No linked articles in our index yet.