These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
Mattermost fixed a credential-exposure issue in support packet generation that affected specific 10.11.x, 11.4.x, and 11.5.x releases. On vulnerable versions, sensitive configuration fields were not sanitized before a support packet was created, so a System Admin or anyone with access to the packet could retrieve plaintext credentials from the downloaded file. NVD rates the issue as high severity (CVSS 8. [truncated]
CVE-2026-6345 describes a Mattermost Server issue where created user passwords were not adequately protected from disclosure. According to the vendor and NVD, a malicious attacker with sufficient privileges could use exposed passwords to impersonate a user. The issue is rated medium severity with high confidentiality and integrity impact.
CVE-2026-6343 is a Mattermost authorization issue published on 2026-05-18. According to the vendor/NVD record, certain Mattermost Server versions fail to correctly enforce public/private permissions, which can allow users without those permissions to access public playbooks through the /get endpoint. NVD rates the issue CVSS 3.1 4.3 (Medium), with low-privilege, network-reachable access and a confidential [truncated]
CVE-2026-6339 is a Mattermost vulnerability published on 2026-05-18 that can let an authenticated channel member force the reveal of a burn-on-read message without recipient consent. The issue affects Mattermost Server 11.4.0 through 11.4.3 and 11.5.0 through 11.5.1, with vendor and NVD records identifying it as a low-severity, network-reachable issue with limited availability impact.
CVE-2026-4286 is a low-severity Mattermost authorization issue affecting playbook updates. According to the vendor and NVD data, users with only Manage Playbook Configurations permission could change a playbookâs team through the update API because the application did not verify whether {{team_id}} was being changed. That bypassed the intended manage members restriction for team changes. The affected rang [truncated]
CVE-2026-28759 is a Mattermost server authorization flaw in shared channel membership synchronization. A malicious remote cluster can send crafted membership sync messages and remove users from channels it is not allowed to access, including private channels. NVD rates the issue CVSS 4.3 (MEDIUM).