PT-2026-25684 · Mattermost · Mattermost
0X7Oda7123
·
Published
2026-02-13
·
Updated
2026-03-27
·
CVE-2026-2458
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 10.11.x through 10.11.10
Mattermost versions 11.2.x through 11.2.2
Mattermost versions 11.3.x through 11.3.0
Description
The software does not correctly check team membership when searching for channels. This allows a team member who has been removed to list all public channels within a private team by using the channel search API endpoint
/api/channels/search. The issue affects Mattermost versions 10.11.x through 10.11.10, 11.2.x through 11.2.2, and 11.3.x through 11.3.0.Recommendations
Update Mattermost to a version later than 10.11.10.
Update Mattermost to a version later than 11.2.2.
Update Mattermost to a version later than 11.3.0.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost