GHSA-57cc-2pf4-mhmx

Source

https://github.com/advisories/GHSA-57cc-2pf4-mhmx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-57cc-2pf4-mhmx/GHSA-57cc-2pf4-mhmx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-57cc-2pf4-mhmx

Aliases

Published

2026-02-16T15:32:47Z

Modified

2026-04-01T17:34:52.830031Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Mattermost fails to properly validate team membership when processing channel mentions

Details

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-19T19:35:24Z",
    "severity": "MODERATE",
    "nvd_published_at": "2026-02-16T13:15:59Z",
    "cwe_ids": [
        "CWE-862"
    ]
}

References

Affected packages

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20251209134645-761e56bb11cc

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-57cc-2pf4-mhmx/GHSA-57cc-2pf4-mhmx.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

11.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-57cc-2pf4-mhmx/GHSA-57cc-2pf4-mhmx.json"

last_known_affected_version_range

"< 11.1.3"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

10.11.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-57cc-2pf4-mhmx/GHSA-57cc-2pf4-mhmx.json"

last_known_affected_version_range

"< 10.11.10"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

11.2.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-57cc-2pf4-mhmx/GHSA-57cc-2pf4-mhmx.json"

last_known_affected_version_range

"< 11.2.2"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.3.2-0.20251209134645-761e56bb11cc

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-57cc-2pf4-mhmx/GHSA-57cc-2pf4-mhmx.json"