CVE-2026-21386 MEDIUM

CVE-2026-21386: Private channel enumeration via /mute slash command

Vendor Mattermost
Product Mattermost
Weakness CWE-203
Published March 16, 2026
Last update March 16, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588

Key dates

02Disclosure timeline

March 16, 2026 CVE published
March 16, 2026 Record updated