4.3 CVE-2026-1629

Mattermost versions 10.11.x <= 10.11.10 Fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache reset or relogin.. Mattermost Advisory ID: MMSA-2026-00580
https://nvd.nist.gov/vuln/detail/CVE-2026-1629

Categories

CWE-672 : Operation on a Resource after Expiration or Release
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Chain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476)

References

 

AFFECTED (from MITRE)

---

Vendor	Product	Versions
Mattermost	Mattermost	10.11.0 ≤ 10.11.10 [affected] 11.4.0 [unaffected] 10.11.11 [unaffected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end

---

REMEDIATION

---

---

EXPLOITS

---

Exploit-db.com

id	description	date
No known exploits

---

POC Github

Url
No known exploits

---

Other Nist (github, ...)

Url
No known exploits

---

CAPEC

---

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

---