CVE-2026-1629 in Mattermost
Summary
by MITRE • 03/16/2026
Mattermost versions 10.11.x <= 10.11.10 Fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache reset or relogin.. Mattermost Advisory ID: MMSA-2026-00580
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
This vulnerability exists in Mattermost server versions 10.11.x up to and including 10.11.10 where the application fails to properly invalidate cached permalink preview data when users lose access to specific channels. The flaw stems from inadequate cache management mechanisms that do not account for dynamic permission changes occurring after initial content caching. When a user is removed from or loses access to a private channel, the system continues to serve cached preview data from that channel, creating a persistent security exposure that violates fundamental access control principles.
The technical implementation of this vulnerability involves the application's caching strategy for permalink previews which are typically generated when users share links to messages within private channels. These cached previews often contain partial content or metadata that could reveal sensitive information about the channel's content even after the user's access has been revoked. The caching mechanism operates independently of real-time access control checks, meaning that cached data persists regardless of permission modifications. This behavior creates a scenario where users can continue accessing previously shared private channel content through cached previews until the cache is manually cleared or the user re-authenticates.
The operational impact of this vulnerability extends beyond simple information disclosure to represent a significant access control bypass. Attackers or malicious actors who gain access to cached permalink previews can potentially access private channel content long after their legitimate access has been revoked, particularly in environments where channel memberships change frequently. This could lead to unauthorized access to sensitive communications, private discussions, or confidential information that should only be accessible to authorized personnel. The vulnerability is particularly concerning in regulated environments where access control and audit trails are critical requirements.
Organizations should implement immediate mitigations including regular cache clearing procedures, enhanced monitoring of cache invalidation events, and review of access control policies to ensure prompt revocation of user permissions. The implementation should align with security standards such as those outlined in CWE-613 which addresses insufficient session management and CWE-284 which covers improper access control. Additionally, this vulnerability relates to ATT&CK technique T1078 which covers valid accounts and T1566 which covers credential access through social engineering, as it enables unauthorized access through previously legitimate cached content. Organizations should also consider implementing automated cache invalidation mechanisms that trigger upon permission changes, as recommended in NIST SP 800-53 controls related to access control and audit logging.