CVE-2026-3115 — Incorrect Authorization in Mattermost Mattermost Server V8

CWE-863 — Incorrect Authorization5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 91.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost Server V8 Mattermost Server Mattermost

Timeline

PublishedMar 26

Description

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDmattermost/mattermost_server10.11.0 — 10.11.11+3

▶Gogithub.com/mattermost_mattermost_server_v811.4.0 — 11.4.1+4

▶CVEListV5mattermost/mattermost11.2.0 — 11.2.2+3

🔴Vulnerability Details

GHSA

Mattermost allows authenticated guest users to enumerate user IDs outside their allowed visibility scope↗2026-03-26

▶

CVEList

Guest users can view group member IDs without respecting view restrictions↗2026-03-26

▶

OSV

Mattermost allows authenticated guest users to enumerate user IDs outside their allowed visibility scope↗2026-03-26

▶

🕵️Threat Intelligence

Wiz

CVE-2026-3115 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶