CVE-2026-6339
Stored XSS in Mattermost via Burn-on-Read Message Reveal
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 11.4.0 (inc) to 11.4.4 (exc) |
| mattermost | mattermost_server | From 11.5.0 (inc) to 11.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Mattermost versions 11.5.x up to 11.5.1 and 11.4.x up to 11.4.3. It occurs because the application fails to validate the X-Requested-With header on the burn-on-read reveal endpoint.
As a result, an authenticated channel member can exploit this flaw by crafting a Markdown image tag that forces the reveal of a burn-on-read message without the recipient's consent.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user within a channel to reveal burn-on-read messages without the intended recipient's consent.
The impact is limited to the unauthorized exposure of messages that are meant to be ephemeral and only viewable by specific recipients.
According to the CVSS score of 4.3, the vulnerability has a low to medium severity with no impact on confidentiality or integrity, but it can cause availability issues.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects Mattermost versions 11.5.x <= 11.5.1 and 11.4.x <= 11.4.3. To mitigate this vulnerability, you should upgrade Mattermost to a version later than 11.5.1 or 11.4.3 where the issue has been fixed.
Additionally, stay informed about security updates by subscribing to Mattermost's Security Bulletin and regularly checking their security updates page.