Websocket Event Broadcast Vulnerability in Mattermost by Mattermost
CVE-2026-3433
4.3MEDIUM
What is CVE-2026-3433?
Mattermost versions 11.6.x up to 11.6.1, 11.5.x up to 11.5.4, and 10.11.x up to 10.11.16 are susceptible to a vulnerability that fails to adequately restrict the broadcasting of role_updated websocket events. This flaw allows an authenticated user with guest-level access to intercept notifications regarding changes in permission schemes for private teams, potentially exposing sensitive information without membership in those teams. Users should ensure to update to the latest versions to safeguard against this issue.
Affected Version(s)
Mattermost 11.6.0 <= 11.6.1
Mattermost 11.5.0 <= 11.5.4
Mattermost 10.11.0 <= 10.11.15