Skip to main content

Mattermost EUVDEUVD-2026-30749

| CVE-2026-6339 MEDIUM
Origin Validation Error (CWE-346)
2026-05-18 Mattermost GHSA-xvcx-mgpc-5xh3
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 18, 2026 - 09:32 vuln.today

DescriptionCVE.org

Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636

AnalysisAI

Authenticated Mattermost channel members can forcibly reveal burn-on-read messages without recipient consent by exploiting missing X-Requested-With header validation on the reveal endpoint through crafted Markdown image tags. This bypasses the intended ephemeral messaging security control in Mattermost versions 11.4.x through 11.4.3 and 11.5.x through 11.5.1. The CVSS vector indicates network-accessible exploitation by low-privileged authenticated users with low attack complexity. Exploitation status: no public exploit identified at time of analysis. EPSS data not provided.

Technical ContextAI

Burn-on-read is a Mattermost feature providing ephemeral messaging where messages are automatically deleted after being viewed by recipients. The vulnerability stems from inadequate Origin header validation (CWE-346: Origin Validation Error) on the burn-on-read reveal API endpoint. The endpoint fails to validate the X-Requested-With header, a common CSRF defense mechanism. Attackers exploit this by embedding malicious Markdown image tags in channel messages. When the Markdown renderer processes the image tag, it triggers an HTTP request to the reveal endpoint without proper origin checks, causing the burn-on-read message to be revealed server-side. The affected CPE (cpe:2.3:a:mattermost:mattermost) confirms this impacts the core Mattermost server application across specified version ranges, not plugins or mobile clients.

RemediationAI

Upgrade to Mattermost server versions newer than 11.5.1 or 11.4.3 as the vendor has released fixes per advisory MMSA-2026-00636. Specific patched versions not published in available data - consult https://mattermost.com/security-updates for exact fixed release numbers. As interim mitigation if immediate patching is infeasible, consider disabling burn-on-read messaging feature entirely until upgrade completes, though this eliminates the feature's business value. Implement strict channel membership controls to limit authenticated user access to sensitive burn-on-read channels, reducing insider threat surface. Configure web application firewalls to enforce X-Requested-With header presence on API endpoints if architectural compatibility permits, though this may break legitimate integrations. Monitor server logs for unusual access patterns to burn-on-read reveal endpoints, particularly high-frequency requests from single authenticated sessions. Note that compensating controls cannot fully prevent exploitation by legitimate authenticated channel members.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

EUVD-2026-30749 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy