CVE-2026-3636
published 2026-05-22CVE-2026-3636: Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users…
PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.18%
8.2th percentile
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API endpoints.. Mattermost Advisory ID: MMSA-2026-00626
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 10.11.0 < 10.11.15 | 10.11.15 |
| github.com | mattermost_mattermost-server | >= 11.4.0 < 11.4.5 | 11.4.5 |
| github.com | mattermost_mattermost-server | >= 11.5.0 < 11.5.4 | 11.5.4 |
| github.com | mattermost_mattermost-server | >= 11.6.0 < 11.6.1 | 11.6.1 |
| mattermost | mattermost | 10.11.0 – 10.11.14 | — |
| mattermost | mattermost | 11.4.0 – 11.4.4 | — |
| mattermost | mattermost | 11.5.0 – 11.5.3 | — |
| mattermost | mattermost | 11.6.0 – 11.6.0 | — |
| mattermost | mattermost_server | >= 10.11.0 < 10.11.15 | 10.11.15 |
| mattermost | mattermost_server | >= 11.4.0 < 11.4.5 | 11.4.5 |
| mattermost | mattermost_server | >= 11.5.0 < 11.5.4 | 11.5.4 |
| mattermost | mattermost_server | >= 11.6.0 < 11.6.1 | 11.6.1 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvelistv5v3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mattermost doesn't sanitize team member data when returned via API to users without elevated permissions
ghsa·2026-05-26
CVE-2026-3636 [MEDIUM] CWE-200 Mattermost doesn't sanitize team member data when returned via API to users without elevated permissions
Mattermost doesn't sanitize team member data when returned via API to users without elevated permissions
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API endpoints. Mattermost Advisory ID: MMSA-2026-00626.
GHSA
GHSA-ffpr-pfr4-g354: Mattermost versions 11
ghsa_unreviewed·2026-05-26
CVE-2026-3636 [MEDIUM] CWE-200 GHSA-ffpr-pfr4-g354: Mattermost versions 11
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API endpoints.. Mattermost Advisory ID: MMSA-2026-00626
CVEList
Sanitize team member data returned by API
cvelistv5·2026-05-22·CVSS 4.3
CVE-2026-3636 [MEDIUM] CWE-200 Sanitize team member data returned by API
Sanitize team member data returned by API
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API endpoints.. Mattermost Advisory ID: MMSA-2026-00626
VulDB
Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0 API information disclosure
vuldb·2026-05-22
CVE-2026-3636 [LOW] Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0 API information disclosure
A vulnerability was found in Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0 and classified as problematic. This affects an unknown part of the component API. Such manipulation leads to information disclosure.
This vulnerability is referenced as CVE-2026-3636. It is possible to launch the attack remotely. No exploit is available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published