Improper Channel Membership Validation in Mattermost by Mattermost
CVE-2026-20796

3.1LOW

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 13 February 2026

What is CVE-2026-20796?

Mattermost versions 10.11.x up to 10.11.9 have a vulnerability in their handling of channel membership verification. This issue can be exploited through a race condition when accessing the /common_teams API endpoint, allowing deactivated users to inadvertently gain knowledge of team names that they should not have access to. This poses a significant risk to user privacy and security within the platform.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Mattermost 10.11.0 <= 10.11.9

Mattermost 11.3.0

Mattermost 10.11.10

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 13, 2026
Vulnerability Reserved
Jan 15, 2026

Credit

Juho Forsén

JSON

Mattermost