Mattermost burnonread reveal endpoint XRequestedWith header flaw (v<11.5.1)
CVE-2026-6339 Published on May 18, 2026
Missing request origin validation on burn-on-read reveal endpoint
Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636
Vulnerability Analysis
CVE-2026-6339 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
Origin Validation Error
The software does not properly verify that the source of data or communication is valid.
Products Associated with CVE-2026-6339
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Version 11.5.0, <= 11.5.1 is affected.
- Version 11.4.0, <= 11.4.3 is affected.
- Version 11.6.0 is unaffected.
- Version 11.5.2 is unaffected.
- Version 11.4.4 is unaffected.