CVE-2026-2578: Mattermost fails to preserve the redacted state of burn-on-read posts during deletion

March 16, 2026 (updated March 17, 2026)

Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event. Mattermost Advisory ID: MMSA-2026-00579

References

github.com/advisories/GHSA-3rhr-jr63-hwq5
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/c6b205f0d77080ef805783de0628b9526af7faec
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2026-2578

Code Behaviors & Features

Detect and mitigate CVE-2026-2578 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →