CVE-2026-2578— Mattermost 安全漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-2578の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Information Disclosure via WebSocket Event When Deleting Unrevealed Burn on Read Posts
ソース: NVD (National Vulnerability Database)
脆弱性説明
Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
通过发送数据的信息暴露
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Mattermost 安全漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Mattermost是美国Mattermost公司的一个开源协作平台。 Mattermost 11.3.0及之前的11.3.x版本存在安全漏洞,该漏洞源于在删除期间未能保留阅后即焚帖子的编辑状态,可能导致频道成员通过WebSocket帖子删除事件访问未揭示的阅后即焚消息内容。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
| ベンダー | プロダクト | 影響を受けるバージョン | CPE | 購読 |
|---|---|---|---|---|
| Mattermost | Mattermost | 11.3.0 ~ 11.3.0 | - |
II. CVE-2026-2578の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-2578のインテリジェンス情報
请登录查看更多情报信息。
Same Patch Batch · Mattermost · 2026-03-16 · 21 CVEs total
| CVE-2026-2476 | 7.6 HIGH | MS Teams plugin sensitive config values not properly masked in support packets |
| CVE-2026-24458 | 7.5 HIGH | DoS attack via login attempts with multi-megabyte passwords |
| CVE-2026-2462 | 6.6 MEDIUM | Admin RCE via Malicious Plugin Upload on CI Test Instances |
| CVE-2026-2454 | 5.8 MEDIUM | DoS in Calls plugin via malformed msgpack in websocket request. |
| CVE-2026-2456 | 5.3 MEDIUM | Denial of Service via Unbounded Memory Allocation in Integration Actions |
| CVE-2026-25783 | 4.3 MEDIUM | Denial of service via malformed User-Agent header in getBrowserVersion |
| CVE-2026-2463 | 4.3 MEDIUM | Unauthorized access to invite ID during team creation |
| CVE-2026-2461 | 4.3 MEDIUM | Missing authorization check allows unauthorized modification of other users' comments on a |
| CVE-2026-2457 | 4.3 MEDIUM | WebSocket Message Spoofing via Permalink Embed Manipulation |
| CVE-2026-2458 | 4.3 MEDIUM | Unauthorized channel enumeration in private teams after member removal |
| CVE-2026-26246 | 4.3 MEDIUM | Memory Exhaustion via Malformed PSD File Upload |
| CVE-2026-1629 | 4.3 MEDIUM | Permalink Preview Information Disclosure After Permission Revocation |
| CVE-2026-4265 | 4.3 MEDIUM | Guest user can upload files without permission across teams |
| CVE-2026-25780 | 4.3 MEDIUM | Memory Exhaustion via Malformed DOC File Upload |
| CVE-2026-21386 | 4.3 MEDIUM | Private channel enumeration via /mute slash command |
| CVE-2026-2455 | 4.3 MEDIUM | SSRF bypass via IPv4-mapped IPv6 literals |
| CVE-2026-24692 | 4.3 MEDIUM | Guest users can bypass read permissions via search API |
| CVE-2026-26304 | 4.3 MEDIUM | Permission Bypass in Playbook Run Creation |
| CVE-2026-26230 | 3.8 LOW | Team Admin Privilege Escalation to Demote Members to Guest |
| CVE-2026-22545 | 3.1 LOW | Password Change Bypass via Auth Switch Endpoint |
IV. 関連脆弱性
同じ製品: Mattermost
- CVE-2026-3590
Race Condition in Guest Magic Link Authentication Allows Tok - CVE-2026-28741
CSRF Protection Bypass Allows Updating a User's Authenticati - CVE-2026-27769
Connected Workspaces: Malicious remote server can manipulate - CVE-2026-24661
Unbounded Request Body Read in MS Teams Plugin {{/changes}} - CVE-2026-21388
Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}
同じベンダー: Mattermost
- CVE-2026-3590
Race Condition in Guest Magic Link Authentication Allows Tok - CVE-2026-28741
CSRF Protection Bypass Allows Updating a User's Authenticati - CVE-2026-27769
Connected Workspaces: Malicious remote server can manipulate - CVE-2026-24661
Unbounded Request Body Read in MS Teams Plugin {{/changes}} - CVE-2026-21388
Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}
同じ弱点: CWE-201
- CVE-2025-31978
HCL BigFix Service Management (SM) does not adequately sanit - CVE-2026-42379
WordPress Templately plugin <= 3.6.1 - Sensitive Data Exposu - CVE-2026-5512
Improper authorization vulnerability in GitHub Enterprise Se - CVE-2026-40161
Tekton Pipelines: Git resolver API mode leaks system-configu - CVE-2026-4525
Vault Token Leaked to Backends via Authorization: Bearer Pas
V. CVE-2026-2578へのコメント
まだコメントはありません