Cache Invalidation Flaw in Mattermost Affects Private Channel Security
CVE-2026-1629

4.3MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 16 March 2026

What is CVE-2026-1629?

A vulnerability in Mattermost versions up to 10.11.10 allows users to retain access to private channel content even after losing permission. This occurs because the application fails to invalidate cached permalink previews when a user loses access to a channel. As a result, users may view sensitive content via previously cached previews until the cache is reset or they log in again. This presents a significant privacy risk within Mattermost environments, potentially exposing confidential information.

Affected Version(s)

Mattermost 10.11.0 <= 10.11.10

Mattermost 11.4.0

Mattermost 10.11.11

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 16, 2026
Vulnerability Reserved
Jan 29, 2026

Credit

Joshua Rogers

CVE-2026-1629 Data

JSON