Moderate severityNVD Advisory· Published Mar 16, 2026· Updated Mar 16, 2026
Private channel enumeration via /mute slash command
CVE-2026-21386
Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20260130144323-5bb5261c72fa | 8.0.0-20260130144323-5bb5261c72fa |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20260130144323-5bb5261c72fa | 5.3.2-0.20260130144323-5bb5261c72fa |
github.com/mattermost/mattermost-serverGo | >= 10.11.0-rc1, < 10.11.11 | 10.11.11 |
github.com/mattermost/mattermost-serverGo | >= 11.2.0-rc1, < 11.2.3 | 11.2.3 |
github.com/mattermost/mattermost-serverGo | >= 11.3.0-rc1, < 11.3.1 | 11.3.1 |
Affected products
1- Range: 11.3.0
Patches
15bb5261c72faMM-67279: Fix private channel enumeration via /mute slash command (#35099)
3 files changed · +4 −7
server/channels/app/slashcommands/command_mute.go+1 −1 modified@@ -64,7 +64,7 @@ func (*MuteProvider) DoCommand(a *app.App, rctx request.CTX, args *model.Command channelMember, err := a.ToggleMuteChannel(rctx, channel.Id, args.UserId) if err != nil { - return &model.CommandResponse{Text: args.T("api.command_mute.not_member.error", map[string]any{"Channel": channelName}), ResponseType: model.CommandResponseTypeEphemeral} + return &model.CommandResponse{Text: args.T("api.command_mute.error", map[string]any{"Channel": channelName}), ResponseType: model.CommandResponseTypeEphemeral} } // Direct and Group messages won't have a nice channel title, omit it
server/channels/app/slashcommands/command_mute_test.go+3 −2 modified@@ -130,13 +130,14 @@ func TestMuteCommandNotMember(t *testing.T) { cmd := &MuteProvider{} - // First mute the channel + // Muting a channel that the user is not a member of should return + // the same error as a non-existent channel to prevent channel enumeration resp := cmd.DoCommand(th.App, th.Context, &model.CommandArgs{ T: i18n.IdentityTfunc(), ChannelId: channel1.Id, UserId: th.BasicUser.Id, }, channel2.Name) - assert.Equal(t, "api.command_mute.not_member.error", resp.Text) + assert.Equal(t, "api.command_mute.error", resp.Text) } func TestMuteCommandNotChannel(t *testing.T) {
server/i18n/en.json+0 −4 modified@@ -1261,10 +1261,6 @@ "id": "api.command_mute.no_channel.error", "translation": "Could not find the specified channel. Please use the [channel handle](https://docs.mattermost.com/messaging/managing-channels.html#naming-a-channel) to identify channels." }, - { - "id": "api.command_mute.not_member.error", - "translation": "Could not mute channel {{.Channel}} as you are not a member." - }, { "id": "api.command_mute.success_mute", "translation": "You will not receive notifications for {{.Channel}} until channel mute is turned off."
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-5mr9-crcg-8wh2ghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-21386ghsaADVISORY
- github.com/mattermost/mattermost/commit/5bb5261c72faa476558a694c23581d24b734da41ghsaWEB
News mentions
0No linked articles in our index yet.