CVE-2026-3115: Mattermost allows authenticated guest users to enumerate user IDs outside their allowed visibility scope

March 26, 2026 (updated March 31, 2026)

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint. Mattermost Advisory ID: MMSA-2026-00594.

References

github.com/advisories/GHSA-mpc7-mm28-f6wq
github.com/mattermost/mattermost
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2026-3115

Code Behaviors & Features

Detect and mitigate CVE-2026-3115 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →