Primary

Context

Mattermost Private Channel Enumeration Vulnerability via Inconsistent Error Messages

Vulnerability

Patched

A vulnerability exists in Mattermost versions 11.3.x through 11.3.0, 11.2.x through 11.2.2, and 10.11.x through 10.11.10. The issue arises from the application's failure to provide uniform error responses when processing the /mute command. This inconsistency allows an authenticated team member to infer the existence of private channels they are not authorized to access, based on the differing error messages related to nonexistent channels versus private ones.

Impact

Exploitation of this vulnerability could lead to unauthorized enumeration of private channels, allowing users to gain knowledge of channels they should not be aware of.

Remediation

Users can upgrade to Mattermost versions 11.5.0, 11.4.0, or 11.3.1 to address this vulnerability.

Added: Mar 16, 2026, 3:58 PM

Updated: Mar 16, 2026, 3:58 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Private Channel Enumeration Vulnerability via Inconsistent Error Messages

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating