Mattermost fails to use consistent error responses when handling the /mute command

GHSA-5mr9-crcg-8wh2 · CVE-2026-21386 · GO-2026-4744

Published Mar 16, 2026 · Modified Mar 23, 2026

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-21386
WEB https://github.com/mattermost/mattermost/commit/5bb5261c72faa476558a694c23581d24b734da41
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes