CVE-2026-20796 PUBLISHED

Time-of-check time-of-use vulnerability in common teams API

Assigner: Mattermost
Reserved: 15.01.2026 Published: 13.02.2026 Updated: 13.02.2026

Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 3.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Mattermost
Product	Mattermost
Versions	Default: unaffected affected from 10.11.0 to 10.11.9 (incl.) Version 11.3.0 is unaffected Version 10.11.10 is unaffected

Solutions

Update Mattermost to versions 11.3.0, 10.11.10 or higher.

Credits

Juho Forsén finder

References

MMSA-2025-00549

Problem Types

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE