Mattermost fails to preserve the redacted state of burn-on-read posts during deletion

GHSA-3rhr-jr63-hwq5 · CVE-2026-2578 · GO-2026-4734

Published Mar 16, 2026 · Modified Mar 23, 2026

Description

Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event. Mattermost Advisory ID: MMSA-2026-00579

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-2578
WEB https://github.com/mattermost/mattermost/commit/c6b205f0d77080ef805783de0628b9526af7faec
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes