CVE-2026-21386

Aliases:GHSA-5mr9-crcg-8wh2GO-2026-4744
Advisory lineage Upstream: 0 Downstream: 1
Analyzed
Published: 16 Mar 2026, 14:51
Last modified:16 Mar 2026, 18:39

Vulnerability Summary

Overall Risk (default)
low
17/100
CVSS Score
4.3 MEDIUM
v3.1 (cve.org)
EPSS Score
0.04% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

16 Mar 2026, 14:51
Published
Vulnerability first disclosed
16 Mar 2026, 18:39
Last Modified
Vulnerability information updated

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588

CVSS Metrics

  • v3.1MEDIUMScore: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.04% Percentile: 13%

Techniques & Countermeasures

  • CWE-203Observable Discrepancy

    The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

Affected Systems

  • github.com/mattermostmattermost-server

    ≥ 11.3.0-rc1+incompatible, < 11.3.1+incompatible | < 5.3.2-0.20260130144323-5bb5261c72fa | ≥ 10.11.0-rc1, < 10.11.11 | ≥ 11.2.0-rc1, < 11.2.3 | ≥ 11.3.0-rc1, < 11.3.1

  • github.com/mattermost/mattermost-serverv5

    all

  • github.com/mattermost/mattermost-serverv6

    all

  • github.com/mattermost/mattermost/serverv8

    < 8.0.0-20260130144323-5bb5261c72fa

  • mattermostmattermost

    11.3.0 | ≥ 11.2.0, ≤ 11.2.2 | ≥ 10.11.0, ≤ 10.11.10

  • mattermostmattermost_server

    ≥ 10.11.0, < 10.11.11 | ≥ 11.2.0, < 11.2.3 | ≥ 11.3.0, < 11.3.1

References (5)