{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2578", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-02-16T10:09:16.281Z", "datePublished": "2026-03-16T11:58:09.834Z", "dateUpdated": "2026-03-16T13:49:55.812Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "11.3.0", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"version": "11.4.0", "status": "unaffected"}, {"version": "11.3.1", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Joshua Rogers"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "MEDIUM", "baseScore": 4.3}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "cweId": "CWE-201"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00579", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.4.0, 11.3.1 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00579", "defect": ["https://mattermost.atlassian.net/browse/MM-67127"], "discovery": "EXTERNAL"}, "title": "Information Disclosure via WebSocket Event When Deleting Unrevealed Burn on Read Posts", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-16T11:58:09.834Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2578", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T13:42:18.043453Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:49:55.812Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2578", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T13:42:18.043453Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:43:46.276Z"}}], "cna": {"title": "Information Disclosure via WebSocket Event When Deleting Unrevealed Burn on Read Posts", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-67127"], "advisory": "MMSA-2026-00579", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Joshua Rogers"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "11.3.0", "versionType": "semver", "lessThanOrEqual": "11.3.0"}, {"status": "unaffected", "version": "11.4.0"}, {"status": "unaffected", "version": "11.3.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 11.4.0, 11.3.1 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00579", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-16T11:58:09.834Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2578", "state": "PUBLISHED", "dateUpdated": "2026-03-16T13:49:55.812Z", "dateReserved": "2026-02-16T10:09:16.281Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-03-16T11:58:09.834Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "945A6E29-209F-4992-8692-BEF63DCB6B98", "versionEndExcluding": "11.3.1", "versionStartIncluding": "11.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579"}, {"lang": "es", "value": "Mattermost versiones 11.3.x &lt;= 11.3.0 no logran preservar el estado redactado de las publicaciones de autodestrucci\u00f3n tras lectura durante la eliminaci\u00f3n, lo que permite a los miembros del canal acceder al contenido no revelado de los mensajes de autodestrucci\u00f3n tras lectura a trav\u00e9s del evento de eliminaci\u00f3n de publicaci\u00f3n de WebSocket. ID de Aviso de Mattermost: MMSA-2026-00579"}], "id": "CVE-2026-2578", "lastModified": "2026-03-18T17:42:38.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:30.840", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.3.0,11.3.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.4.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.3.1"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Mattermost", "source": "cna", "vendor": "Mattermost"}, "product": "server", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-03-18T18:27:04.783255+00:00", "value": {"mitigation_remediation": ["Apply the official Mattermost patch by updating to version\u00a011.4.0,\u00a011.3.1\u00a0or higher."], "summary": {"action": "Patch Now", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is Mattermost\u00a0Mattermost Server. Vulnerable releases include all 11.3.x versions where the latest is 11.3.0 or earlier. The vendor guidance specifies that updating to 11.4.0, 11.3.1 or a later equivalent release resolves the issue.", "description_and_impact": "Mattermost versions 11.3.x up to and including 11.3.0 incorrectly handle the deletion of burn-on-read posts; the system does not preserve the redacted state when the post is removed, causing the original message contents to be sent to channel members via the WebSocket post deletion event. This flaw allows any channel member to view unrevealed content that should have remained hidden, constituting a clear information disclosure. The weakness is categorized as CWE-201\u00a0Information Exposure Through an Insufficiently Protected Output Mechanism.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a modest level of risk. The EPSS score is reported as less than 1%, implying that exploitation frequency is low, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack requires the attacker to be a member of the channel and to trigger the deletion of a burn\u2011on\u2011read post; once triggered, the original message is exposed to all members via the WebSocket event. As the impact is limited to disclosure of message content, the overall risk is moderate, but remediation is recommended promptly."}}}}, "created": "2026-03-24T10:44:42.687020+00:00", "updated": "2026-03-30T07:02:32.406591+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$server"]}