PatchSiren cyber security CVE debrief
CVE-2026-6339 Mattermost CVE debrief
CVE-2026-6339 is a Mattermost vulnerability published on 2026-05-18 that can let an authenticated channel member force the reveal of a burn-on-read message without recipient consent. The issue affects Mattermost Server 11.4.0 through 11.4.3 and 11.5.0 through 11.5.1, with vendor and NVD records identifying it as a low-severity, network-reachable issue with limited availability impact.
- Vendor
- Mattermost
- Product
- Mattermost Server
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
Mattermost administrators, security teams, and organizations using burn-on-read messaging in affected Mattermost Server versions. Channel members with authenticated access are the relevant threat model, so deployments that rely on message secrecy or consent-based reveal flows should prioritize review.
Technical summary
According to the vendor-described issue in NVD, Mattermost failed to validate the X-Requested-With header on the burn-on-read reveal endpoint. An authenticated channel member could exploit that weakness by using a crafted Markdown image tag to trigger a reveal request and expose a burn-on-read message without the recipient’s consent. NVD lists the weakness as CWE-346 and the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.
Defensive priority
Medium. The CVSS score is 4.3, and the impact appears confined to unintended message disclosure/reveal behavior rather than full compromise. That said, the issue affects a user-facing confidentiality control, so organizations that depend on burn-on-read workflows should treat remediation as a priority within normal patch windows.
Recommended defensive actions
- Upgrade Mattermost Server to a fixed release: 11.4.4 or later for the 11.4.x line, or 11.5.2 or later for the 11.5.x line.
- Review any workflows that depend on burn-on-read confidentiality and confirm users understand that recipient consent can be bypassed in affected builds.
- Use the vendor security updates page to track any additional guidance or release notes related to MMSA-2026-00636.
- Validate that affected instances are not running 11.4.0-11.4.3 or 11.5.0-11.5.1 after maintenance windows.
- Prioritize patching for deployments with sensitive internal communications where unintended message reveal would matter operationally.
Evidence notes
All factual claims here are limited to the supplied NVD record and the linked Mattermost security updates page. NVD states the affected version ranges, the CWE-346 classification, the CVSS 3.1 vector, and that the vulnerability was published on 2026-05-18. The vendor advisory is referenced by NVD as the authoritative Mattermost source.
Official resources
-
CVE-2026-6339 CVE record
CVE.org
-
CVE-2026-6339 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Vendor-referenced advisory published with the CVE on 2026-05-18; no KEV entry was supplied.