CVE-2026-2458 in Mattermost
Summary
by MITRE • 03/16/2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID: MMSA-2025-00568
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/20/2026
This vulnerability resides in the Mattermost collaboration platform where improper access control validation creates a significant information disclosure risk. The flaw affects specific versions including 11.3.0 and earlier 11.3.x releases, 11.2.2 and earlier 11.2.x releases, and 10.11.10 and earlier 10.11.x releases. The core issue manifests when a user who has been removed from a team attempts to search channels within a private team environment, bypassing the intended access restrictions that should prevent such enumeration.
The technical implementation flaw occurs within the channel search API endpoint where the system fails to properly validate team membership status during search operations. When a removed team member makes a search request, the system incorrectly allows access to all public channels within private teams without proper authorization checks. This validation failure represents a classic access control vulnerability that violates the principle of least privilege and proper authorization enforcement. The vulnerability specifically impacts the authentication and authorization mechanisms that should prevent former team members from accessing team resources they no longer have legitimate access to.
The operational impact of this vulnerability is substantial as it enables unauthorized enumeration of team resources through information disclosure. An attacker who has been removed from a team can discover the complete list of public channels within private team environments, potentially revealing sensitive information about team structure, project organization, and communication patterns. This enumeration capability could facilitate further attacks by providing attackers with knowledge of team composition and channel hierarchies. The vulnerability essentially creates a backdoor for information gathering that undermines the security model of private team environments.
From a cybersecurity perspective, this vulnerability aligns with CWE-284 Access Control Issues and maps to ATT&CK techniques including T1087 Account Discovery and T1590 reconnaissance. The flaw represents a privilege escalation vector that allows former team members to gain unauthorized access to information they should not be able to access. Organizations using Mattermost in environments with sensitive data or regulated compliance requirements face particular risk, as this vulnerability could expose confidential team communications and organizational structures. The impact extends beyond simple information disclosure to potentially enable social engineering attacks or targeted reconnaissance efforts.
The recommended mitigations include immediate upgrade to patched versions of Mattermost where available, implementation of additional access controls at the network level, and monitoring for unusual search patterns that might indicate exploitation attempts. Organizations should also conduct thorough access reviews to identify and remove any unauthorized users from team environments. The vulnerability highlights the importance of proper input validation and access control enforcement in API endpoints, particularly those that provide search or enumeration capabilities. Security teams should implement logging and alerting mechanisms to detect unauthorized access attempts and establish regular security assessments to identify similar access control gaps in other collaboration platforms and applications.