CVE-2026-3115

MEDIUM4.3EPSS 0.01%

Mattermost allows authenticated guest users to enumerate user IDs outside their allowed visibility scope

Published: 3/26/2026Modified: 3/31/2026

Description

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint. Mattermost Advisory ID: MMSA-2026-00594.

Affected packages (1)

Go/github.com/mattermost/mattermost/server/v8>= 11.4.0, < 11.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-3115
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://mattermost.com/security-updates