PatchSiren cyber security CVE debrief
CVE-2026-3433 Mattermost CVE debrief
CVE-2026-3433 is a vulnerability in Mattermost, a self-hosted, open-source, and customizable platform for team communication. The vulnerability has a CVSS score of 4.3 and a severity of MEDIUM. It was published on 2026-06-12T17:16:22.467Z and has not been modified since its publication.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16 should be aware of this vulnerability.
Technical summary
The vulnerability occurs because Mattermost fails to restrict role_updated websocket event broadcasts to members of the affected team or channel. This allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a version of Mattermost that is not vulnerable.
Evidence notes
The CVE was obtained from the NVD database. The Mattermost Advisory ID is MMSA-2026-00616.
Official resources
-
CVE-2026-3433 CVE record
CVE.org
-
CVE-2026-3433 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-3433 was published on 2026-06-12T17:16:22.467Z and has not been modified since its publication.