Primary

Context

Mattermost Improper Channel Membership Validation Vulnerability Allowing Unauthorized Team Name Access

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.11.x prior to 10.11.9, where the application fails to properly validate channel membership during data retrieval. This flaw allows deactivated users to access team names they should not be privy to, exploiting a race condition in the '/common_teams' API endpoint.

Impact

Exploitation of this vulnerability could lead to unauthorized access to team names, allowing deactivated users to gain knowledge of teams they should not have access to.

Remediation

Users can upgrade to Mattermost version 11.3.010.11.10 to address this vulnerability.

Added: Feb 13, 2026, 11:45 AM

Updated: Feb 13, 2026, 3:18 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

4.8

remediation

7.7

relevance

2.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

4.8

remediation

7.7

relevance

2.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Improper Channel Membership Validation Vulnerability Allowing Unauthorized Team Name Access

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating