CVE-2026-21386: Mattermost fails to use consistent error responses when handling the /mute command

March 16, 2026 (updated March 18, 2026)

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588

References

github.com/advisories/GHSA-5mr9-crcg-8wh2
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/5bb5261c72faa476558a694c23581d24b734da41
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2026-21386

Code Behaviors & Features

Detect and mitigate CVE-2026-21386 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →