CVE-2026-6339

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.4.x through 11.4.3 Mattermost versions 11.5.x through 11.5.1

Description An issue exists where the burn-on-read reveal endpoint fails to validate the 'X-Requested-With' header. This allows an authenticated channel member to force the reveal of a burn-on-read message without the recipient's consent by using a crafted Markdown image tag.

Recommendations Update Mattermost versions 11.4.x through 11.4.3 to a version later than 11.4.3. Update Mattermost versions 11.5.x through 11.5.1 to a version later than 11.5.1.

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-346

Related Identifiers

CVE-2026-6339

Affected Products

Mattermost

CVE-2026-6339

Weakness Enumeration

Related Identifiers

Affected Products

References · 5