Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.1
Mattermost Reveals Team Names to Deactivated Users
CVE-2026-20796
GHSA-2xf7-hmf6-p64j
Summary
Mattermost versions 10.11.x through 10.11.9 don't check if a user is active when showing team names. This means a deactivated user might see team names they shouldn't have access to. Update to a fixed version to prevent this.
What to do
- Update github.com mattermost to version 10.11.10.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | mattermost | > 10.11.0 , <= 10.11.9 | 10.11.10 |
| mattermost | mattermost_server | > 10.11.0 , <= 10.11.10 | – |
Original title
Mattermost doesn't properly validate channel membership at the time of data retrieval
Original description
Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549
nvd CVSS3.1
3.1
Vulnerability type
CWE-367
Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026