CVE-2026-21386

CWE-2036 documents5 sources
Severity
4.3MEDIUM
EPSS
0.0%
top 90.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost/mattermost-serverGithub.com Mattermost/mattermost/server/v8Mattermost Mattermost Server+1 more
Timeline
PublishedMar 16
Latest updateMar 23

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server10.11.010.11.11+2
Gogithub.com/mattermost/mattermost-server10.11.0-rc1+incompatible10.11.11+incompatible+6
Gogithub.com/mattermost/mattermost/server/v8< 8.0.0-20260130144323-5bb5261c72fa
CVEListV5mattermost/mattermost11.3.011.3.0+2

🔴Vulnerability Details

4
OSV
Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server2026-03-23
OSV
Mattermost fails to use consistent error responses when handling the /mute command2026-03-16
CVEList
Private channel enumeration via /mute slash command2026-03-16
GHSA
Mattermost fails to use consistent error responses when handling the /mute command2026-03-16

🕵️Threat Intelligence

1
Wiz
CVE-2026-21386 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-21386 (MEDIUM CVSS 4.3) | Mattermost versions 11.3.x <= 11.3. | cvebase.io