Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-6339

Summary
Assigner-Mattermost
Assigner Org ID-9302f53e-dde5-4bf3-b2f2-a83f91ac0eee
Published At-18 May, 2026 | 08:05
Updated At-18 May, 2026 | 12:42
Rejected At-
Credits

Missing request origin validation on burn-on-read reveal endpoint

Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Mattermost
Assigner Org ID:9302f53e-dde5-4bf3-b2f2-a83f91ac0eee
Published At:18 May, 2026 | 08:05
Updated At:18 May, 2026 | 12:42
Rejected At:
▼CVE Numbering Authority (CNA)
Missing request origin validation on burn-on-read reveal endpoint

Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636

Affected Products
Vendor
Mattermost, Inc.Mattermost
Product
Mattermost
Default Status
unaffected
Versions
Affected
  • From 11.5.0 through 11.5.1 (semver)
  • From 11.4.0 through 11.4.3 (semver)
Unaffected
  • 11.6.0
  • 11.5.2
  • 11.4.4
Problem Types
TypeCWE IDDescription
CWECWE-346CWE-346: Origin Validation Error
Type: CWE
CWE ID: CWE-346
Description: CWE-346: Origin Validation Error
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update Mattermost to versions 11.6.0, 11.5.2, 11.4.4 or higher.

Configurations
Workarounds
Exploits
Credits
finder
game0v3r
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://mattermost.com/security-updates
vendor-advisory
Hyperlink: https://mattermost.com/security-updates
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:responsibledisclosure@mattermost.com
Published At:18 May, 2026 | 09:16
Updated At:18 May, 2026 | 19:11

Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CPE Matches
Mattermost, Inc.
mattermost
>>mattermost_server>>Versions from 11.4.0(inclusive) to 11.4.4(exclusive)
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Mattermost, Inc.
mattermost
>>mattermost_server>>Versions from 11.5.0(inclusive) to 11.5.2(exclusive)
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-346Secondaryresponsibledisclosure@mattermost.com
CWE ID: CWE-346
Type: Secondary
Source: responsibledisclosure@mattermost.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://mattermost.com/security-updatesresponsibledisclosure@mattermost.com
Vendor Advisory
Hyperlink: https://mattermost.com/security-updates
Source: responsibledisclosure@mattermost.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

119Records found
CVE-2023-47858
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 40.56%
||
7 Day CHG~0.00%
Published-02 Jan, 2024 | 09:54
Updated-17 Jun, 2025 | 20:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Details of archived public channels are leaked to members of another team

Mattermost fails to properly verify the permissions needed for viewing archived public channels,  allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-284
Improper Access Control
CVE-2023-45223
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 57.75%
||
7 Day CHG~0.00%
Published-27 Nov, 2023 | 09:06
Updated-02 Aug, 2024 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Users full name disclosure through Mattermost Boards with Show Full Name Option disabled

Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled. 

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-43754
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 57.75%
||
7 Day CHG~0.00%
Published-27 Nov, 2023 | 09:11
Updated-02 Aug, 2024 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Permalink previews displayed for posts in archived channels even if users are disallowed to view archived channels

Mattermost fails to check whether the  “Allow users to view archived channels”  setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels” setting is disabled. 

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-4044
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 66.46%
||
7 Day CHG~0.00%
Published-23 Nov, 2022 | 05:45
Updated-26 Nov, 2022 | 03:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated user could send multiple requests containing a large Auto Responder Message payload and can crash a Mattermost server

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-13870
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.03% / 8.52%
||
7 Day CHG~0.00%
Published-02 Dec, 2025 | 09:28
Updated-03 Dec, 2025 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized access and subscription vulnerability in Boards

Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-1472
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 47.01%
||
7 Day CHG~0.00%
Published-19 Mar, 2025 | 14:11
Updated-01 Oct, 2025 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized View Access to Site Statistics and Team Statistics

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-41443
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.60%
||
7 Day CHG~0.00%
Published-16 Oct, 2025 | 08:10
Updated-29 Oct, 2025 | 08:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Guest user can discover active public channels

Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-862
Missing Authorization
CVE-2023-2831
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 36.16%
||
7 Day CHG~0.00%
Published-16 Jun, 2023 | 09:06
Updated-06 Dec, 2024 | 22:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service while unescaping a Markdown string

Mattermost fails to unescape Markdown strings in a memory-efficient way, allowing an attacker to cause a Denial of Service by sending a message containing a large number of escaped characters.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-27263
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.73%
||
7 Day CHG~0.00%
Published-27 Feb, 2023 | 14:44
Updated-06 Dec, 2024 | 23:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IDOR: Accessing playbook runs via the Playbooks Runs API

A missing permissions check in the /plugins/playbooks/api/v0/runs API in Mattermost allows an attacker to list and view playbooks belonging to a team they are not a member of.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-862
Missing Authorization
CVE-2023-5967
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 26.80%
||
7 Day CHG~0.00%
Published-06 Nov, 2023 | 15:24
Updated-12 Sep, 2024 | 19:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service via crashing the Calls Plugin

Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2023-48732
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.58% / 69.27%
||
7 Day CHG~0.00%
Published-02 Jan, 2024 | 09:52
Updated-03 Jun, 2025 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keywords that trigger mentions are leaked to other users

Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-2408
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.35%
||
7 Day CHG~0.00%
Published-14 Jul, 2022 | 17:25
Updated-06 Dec, 2024 | 23:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Guest accounts can list all public channels

The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-4019
Matching Score-8
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-8
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 60.27%
||
7 Day CHG~0.00%
Published-23 Nov, 2022 | 05:32
Updated-07 Nov, 2023 | 03:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated user could send multiple requests containing a large payload to a Playbooks API and can crash a Mattermost server

A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostPlaybooks Plugin
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-14456
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.3||HIGH
EPSS-0.15% / 34.80%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 13:12
Updated-04 Aug, 2024 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_desktopn/a
CWE ID-CWE-346
Origin Validation Error
CVE-2023-3581
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.19% / 40.31%
||
7 Day CHG+0.01%
Published-17 Jul, 2023 | 15:20
Updated-30 Oct, 2024 | 13:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WebSockets accept connections from HTTPS origin

Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-346
Origin Validation Error
CVE-2026-2457
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 5.46%
||
7 Day CHG~0.00%
Published-16 Mar, 2026 | 11:20
Updated-18 Mar, 2026 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WebSocket Message Spoofing via Permalink Embed Manipulation

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisory ID: MMSA-2025-00569

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-346
Origin Validation Error
CVE-2024-41926
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-2.7||LOW
EPSS-0.16% / 36.72%
||
7 Day CHG~0.00%
Published-01 Aug, 2024 | 14:05
Updated-04 Sep, 2024 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Malicious remote can claim that a user was synced from another remote

Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-346
Origin Validation Error
CVE-2024-2447
Matching Score-6
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-6
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.37%
||
7 Day CHG~0.00%
Published-05 Apr, 2024 | 08:52
Updated-13 Dec, 2024 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-346
Origin Validation Error
CVE-2020-28481
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 39.68%
||
7 Day CHG~0.00%
Published-19 Jan, 2021 | 14:45
Updated-16 Sep, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Defaults

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Action-Not Available
Vendor-socketn/a
Product-socket.iosocket.io
CWE ID-CWE-346
Origin Validation Error
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found