Primary

Context

Mattermost Cached Permalink Preview Data Invalidation Vulnerability Allowing Access to Private Channel Content

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.11.x prior to 10.11.10, where the application fails to properly invalidate cached permalink preview data when a user loses access to a private channel. This flaw allows users to continue viewing private channel content through previously cached permalink previews until the cache is reset or the user relogs. Mattermost Advisory ID: MMSA-2026-00580

Impact

Exploitation of this vulnerability could lead to unauthorized access to private channel content via cached permalink previews.

Remediation

Users can upgrade to Mattermost version 10.11.10 or later to address this vulnerability.

Added: Mar 16, 2026, 9:29 PM

Updated: Mar 16, 2026, 9:29 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

6.0

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

6.0

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Cached Permalink Preview Data Invalidation Vulnerability Allowing Access to Private Channel Content

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating