GHSA-2xf7-hmf6-p64j

Source

https://github.com/advisories/GHSA-2xf7-hmf6-p64j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2xf7-hmf6-p64j/GHSA-2xf7-hmf6-p64j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2xf7-hmf6-p64j

Aliases

Published

2026-02-13T12:31:21Z

Modified

2026-02-23T19:41:17.607287Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Mattermost doesn't properly validate channel membership at the time of data retrieval

Details

Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549

Database specific

{
    "github_reviewed_at": "2026-02-13T20:55:54Z",
    "nvd_published_at": "2026-02-13T11:16:10Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-367"
    ],
    "github_reviewed": true
}

References

Affected packages

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

10.11.0

Fixed

10.11.10

Database specific

last_known_affected_version_range

"<= 10.11.9"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2xf7-hmf6-p64j/GHSA-2xf7-hmf6-p64j.json"