CVE Catalog

CVE-2026-3433

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.15 and 10.11.x <= 10.11.16 fail to restrict 'role_updated' websocket event broadcasts to members of the affected team or channel. This allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of.

Risk Assessment

An attacker may gain access to information about permission changes in private teams, potentially leading to unauthorized disclosure of sensitive data.

Recommendation

It is recommended to update Mattermost to the latest version to mitigate this vulnerability and restrict websocket event access only to authorized team members.

Original NVD description (English source)

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616

Vulnerability data from NVD (NIST) · CISA KEV · EPSS