Websocket Event Broadcast Vulnerability in Mattermost by Mattermost
CVE-2026-3433

4.3MEDIUM

Key Information:

Vendor

Mattermost

Vendor
CVE Published:
12 June 2026

What is CVE-2026-3433?

Mattermost versions 11.6.x up to 11.6.1, 11.5.x up to 11.5.4, and 10.11.x up to 10.11.16 are susceptible to a vulnerability that fails to adequately restrict the broadcasting of role_updated websocket events. This flaw allows an authenticated user with guest-level access to intercept notifications regarding changes in permission schemes for private teams, potentially exposing sensitive information without membership in those teams. Users should ensure to update to the latest versions to safeguard against this issue.

Affected Version(s)

Mattermost 11.6.0 <= 11.6.1

Mattermost 11.5.0 <= 11.5.4

Mattermost 10.11.0 <= 10.11.15

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

0x7oda7123
.