Moderate severityNVD Advisory· Published Mar 16, 2026· Updated Mar 16, 2026
Unauthorized channel enumeration in private teams after member removal
CVE-2026-2458
Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID: MMSA-2025-00568
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20260113182106-a18b80ba4c32 | 8.0.0-20260113182106-a18b80ba4c32 |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20260113182106-a18b80ba4c32 | 5.3.2-0.20260113182106-a18b80ba4c32 |
github.com/mattermost/mattermost-serverGo | >= 10.11.0-rc1, < 10.11.11 | 10.11.11 |
github.com/mattermost/mattermost-serverGo | >= 11.2.0-rc1, < 11.2.3 | 11.2.3 |
github.com/mattermost/mattermost-serverGo | >= 11.3.0-rc1, < 11.3.1 | 11.3.1 |
Affected products
1- Range: 11.3.0
Patches
1a18b80ba4c32MM-67049: Fix unauthorized access to public channels in private teams (#34886)
2 files changed · +23 −4
server/channels/store/sqlstore/channel_store.go+5 −4 modified@@ -3082,11 +3082,12 @@ func (s SqlChannelStore) Autocomplete(rctx request.CTX, userID, term string, inc OrderBy("c.DisplayName"). Limit(model.ChannelSearchDefaultLimit) + // Always filter out soft-deleted team memberships - users removed from + // a team should not see channels from that team regardless of includeDeleted + query = query.Where(sq.Eq{"tm.DeleteAt": 0}) + if !includeDeleted { - query = query.Where(sq.And{ - sq.Eq{"c.DeleteAt": 0}, - sq.Eq{"tm.DeleteAt": 0}, - }) + query = query.Where(sq.Eq{"c.DeleteAt": 0}) } if isGuest {
server/channels/store/storetest/channel_store.go+18 −0 modified@@ -6401,6 +6401,24 @@ func testAutocomplete(t *testing.T, rctx request.CTX, ss store.Store, s SqlStore }) } + // MM-67049: Verify that users removed from a team cannot see channels from that + // team, regardless of includeDeleted. The includeDeleted parameter should only + // affect channel deletion status, not team membership. + t.Run("MM-67049: removed team member cannot see channels regardless of includeDeleted", func(t *testing.T) { + // Sanity check: o5 is in leftTeamID and matches search term + require.Equal(t, leftTeamID, o5.TeamId) + require.Contains(t, o5.DisplayName, "ChannelA") + + // m1.UserId was removed from leftTeamID (tm5.DeleteAt was set above in the test setup) + for _, includeDeleted := range []bool{false, true} { + channels, err2 := ss.Channel().Autocomplete(rctx, m1.UserId, "ChannelA", includeDeleted, false) + require.NoError(t, err2) + for _, ch := range channels { + require.NotEqual(t, o5.Id, ch.Id, "includeDeleted=%v: channel from left team should not be returned", includeDeleted) + } + } + }) + t.Run("Limit", func(t *testing.T) { for i := range model.ChannelSearchDefaultLimit + 10 { _, err = ss.Channel().Save(rctx, &model.Channel{
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-679f-wmrg-qf57ghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-2458ghsaADVISORY
- github.com/mattermost/mattermost/commit/a18b80ba4c324b74b3d47951c33957305af4a099ghsaWEB
News mentions
0No linked articles in our index yet.