CVE-2026-3495 Mattermost CVE debrief

Who should care

Mattermost Server administrators and security teams responsible for collaboration platform security. Organizations running affected versions with multiple administrators or delegated configuration management roles face elevated risk of insider abuse. Security-conscious deployments with strict administrative access controls have reduced exposure.

Technical summary

The vulnerability exists in error page template rendering where dynamic variables are not properly HTML-escaped before output. An attacker with site configuration editing privileges can manipulate configuration values that populate error page templates, embedding JavaScript payloads. When error conditions trigger these pages, the unescaped content renders in the victim's browser context. The attack requires authenticated administrative access, making it a privileged insider threat scenario rather than unauthenticated exploitation.

Defensive priority

routine

Recommended defensive actions

• Upgrade Mattermost Server to version 10.11.14 or later for 10.11.x branch, or version 11.5.2 or later for 11.5.x branch
• Review site configuration settings for unauthorized modifications, particularly any injected scripts in error-related variables
• Implement principle of least privilege for administrative accounts with site configuration access
• Monitor error page rendering for unexpected script execution
• Apply security updates from Mattermost security advisories promptly

Evidence notes

Vulnerability confirmed through NVD analysis with vendor advisory from Mattermost. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as the underlying weakness. Affected versions explicitly defined in CPE criteria: 10.11.0 to 10.11.13 and 11.5.0 to 11.5.1.

Official resources