CVE-2026-3433
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.15 and 10.11.x <= 10.11.16 fail to restrict 'role_updated' websocket event broadcasts to members of the affected team or channel. This allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of.
Risk Assessment
An attacker may gain access to information about permission changes in private teams, potentially leading to unauthorized disclosure of sensitive data.
Recommendation
It is recommended to update Mattermost to the latest version to mitigate this vulnerability and restrict websocket event access only to authorized team members.
Original NVD description (English source)
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616

