← Back
2026-03-26 16:23CVE-2026-3115Mattermost
PUBLISHED5.2CWE-863

Guest users can view group member IDs without respecting view restrictions

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594

Problem type

Affected products

Mattermost

Mattermost

<= 11.2.2 - AFFECTED

<= 10.11.10 - AFFECTED

<= 11.4.0 - AFFECTED

<= 11.3.1 - AFFECTED

11.5.0 - UNAFFECTED

11.2.3 - UNAFFECTED

10.11.11 - UNAFFECTED

11.4.1 - UNAFFECTED

11.3.2 - UNAFFECTED

References

MMSA-2026-00594

https://mattermost.com/security-updates

vendor-advisory

GitHub Security Advisories

GHSA-mpc7-mm28-f6wq

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1...

https://github.com/advisories/GHSA-mpc7-mm28-f6wq

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-3115

mattermost.com

https://mattermost.com/security-updates

github.com

https://github.com/advisories/GHSA-mpc7-mm28-f6wq

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-3115
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-3115",
    "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
    "assignerShortName": "Mattermost",
    "dateUpdated": "2026-03-26T17:51:14.689Z",
    "dateReserved": "2026-02-24T11:06:52.132Z",
    "datePublished": "2026-03-26T16:23:05.887Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "shortName": "Mattermost",
        "dateUpdated": "2026-03-26T16:23:05.887Z"
      },
      "title": "Guest users can view group member IDs without respecting view restrictions",
      "descriptions": [
        {
          "lang": "en",
          "value": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594"
        }
      ],
      "affected": [
        {
          "vendor": "Mattermost",
          "product": "Mattermost",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "11.2.0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "11.2.2"
            },
            {
              "version": "10.11.0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "10.11.10"
            },
            {
              "version": "11.4.0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "11.4.0"
            },
            {
              "version": "11.3.0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "11.3.1"
            },
            {
              "version": "11.5.0",
              "status": "unaffected"
            },
            {
              "version": "11.2.3",
              "status": "unaffected"
            },
            {
              "version": "10.11.11",
              "status": "unaffected"
            },
            {
              "version": "11.4.1",
              "status": "unaffected"
            },
            {
              "version": "11.3.2",
              "status": "unaffected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-863: Incorrect Authorization",
              "cweId": "CWE-863",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://mattermost.com/security-updates",
          "name": "MMSA-2026-00594",
          "tags": [
            "vendor-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update Mattermost to versions 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2 or higher."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "winfunc",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-03-26T17:51:14.689Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}