Guest users can view group member IDs without respecting view...

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594

Basic Information

ID CVE-2026-3115

Source Mattermost

Published Mar 26, 2026 at 16:23

Modified Mar 26, 2026 at 17:51

Affected Product

Vendor Mattermost

Product Mattermost

Version 11.2.0

Affected Versions Mattermost Mattermost 11.2.0
Mattermost Mattermost 10.11.0
Mattermost Mattermost 11.4.0
Mattermost Mattermost 11.3.0

CWE Classification

CWE-863

References

mattermost.com /security-updates

{
    "lastseen": "",
    "description": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594",
    "published": "2026-03-26T16:23:05.887Z",
    "modified": "2026-03-26T17:51:14.689Z",
    "type": "cve",
    "title": "Guest users can view group member IDs without respecting view restrictions",
    "source": "Mattermost",
    "references": "https://mattermost.com/security-updates",
    "id": "CVE-2026-3115",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "Mattermost Mattermost 11.2.0\nMattermost Mattermost 10.11.0\nMattermost Mattermost 11.4.0\nMattermost Mattermost 11.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Mattermost",
    "version": "11.2.0",
    "vendor": "Mattermost",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Guest users can view group member IDs without respecting view restrictions_CVE-2026-3115