{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21386", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-02-13T10:01:31.918Z", "datePublished": "2026-03-16T14:51:43.263Z", "dateUpdated": "2026-03-16T14:51:43.263Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "11.3.0", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"lessThanOrEqual": "11.2.2", "status": "affected", "version": "11.2.0", "versionType": "semver"}, {"lessThanOrEqual": "10.11.10", "status": "affected", "version": "10.11.0", "versionType": "semver"}, {"version": "11.4.0", "status": "unaffected"}, {"version": "11.3.1", "status": "unaffected"}, {"version": "11.2.3", "status": "unaffected"}, {"version": "10.11.11", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "winfunc"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "MEDIUM", "baseScore": 4.3}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-203: Observable Discrepancy", "cweId": "CWE-203"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00588", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00588", "defect": ["https://mattermost.atlassian.net/browse/MM-67278"], "discovery": "EXTERNAL"}, "title": "Private channel enumeration via /mute slash command", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-16T14:51:43.263Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588"}], "id": "CVE-2026-21386", "lastModified": "2026-03-16T15:16:20.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2026-03-16T15:16:20.927", "references": [{"source": "responsibledisclosure@mattermost.com", "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{}