CVE-2026-21386
Received Received - Intake
Information Disclosure via Inconsistent /mute Command Errors in Mattermost

Publication date: 2026-03-16

Last updated on: 2026-03-18

Assigner: Mattermost, Inc.

Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-18
Generated
2026-05-07
AI Q&A
2026-03-16
EPSS Evaluated
2026-05-05
NVD
CVE-2026-21386
EUVD
EUVD-2026-12437
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.11.0 (inc) to 10.11.11 (exc)
mattermost mattermost_server From 11.2.0 (inc) to 11.2.3 (exc)
mattermost mattermost_server From 11.3.0 (inc) to 11.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in certain versions of Mattermost (11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10) where the application fails to provide consistent error responses when handling the /mute command.

Because of this inconsistency, an authenticated team member can distinguish between private channels they are not authorized to know about and nonexistent channels by observing the differing error messages.

This allows the user to enumerate private channels that should otherwise be hidden from them.


How can this vulnerability impact me? :

The vulnerability allows an authenticated user to discover the existence of private channels they are not authorized to access by analyzing error messages.

This can lead to information disclosure about the structure and membership of private communications within an organization.

While it does not grant access to the content of those channels, knowing about their existence could aid in further targeted attacks or social engineering.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart