CVE-2026-21386

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.0 through 10.11.10 Mattermost versions 11.2.0 through 11.2.2 Mattermost versions 11.3.0

Description Mattermost does not consistently handle error responses when processing the /mute command. This allows an authenticated team member to identify private channels they are not authorized to access by observing differing error messages for nonexistent versus private channels. The issue occurs due to inconsistent error messaging when attempting to mute a user in a channel they are not a member of.

Recommendations Mattermost versions 10.11.0 through 10.11.10 should be updated. Mattermost versions 11.2.0 through 11.2.2 should be updated. Mattermost version 11.3.0 should be updated.

Fix

Information Disclosure

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-203

Related Identifiers

BDU:2026-06570

CVE-2026-21386

GHSA-5MR9-CRCG-8WH2

GO-2026-4744

SUSE-SU-2026:1135-1

Affected Products

Mattermost

CVE-2026-21386

Weakness Enumeration

Related Identifiers

Affected Products

References · 153