CVE-2026-2578

Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://mattermost.com/security-updates	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-16 14:19

Updated : 2026-03-18 17:42

NVD link : CVE-2026-2578

Mitre link : CVE-2026-2578

CVE.ORG link : CVE-2026-2578

JSON object : View

Products Affected

mattermost

mattermost_server

CWE

CWE-201

Insertion of Sensitive Information Into Sent Data

4.3 /10