CVE-2026-6339 Overview
CVE-2026-6339 affects Mattermost Server versions 11.5.x up to 11.5.1 and 11.4.x up to 11.4.3. The flaw resides in the burn-on-read reveal endpoint, which fails to validate the X-Requested-With header. An authenticated channel member can force the reveal of a burn-on-read message without the recipient's consent by embedding a crafted Markdown image tag. The vulnerability is tracked under Mattermost Advisory ID MMSA-2026-00636 and is categorized as authentication of source data origin failure [CWE-346].
Critical Impact
Authenticated attackers can trigger unauthorized disclosure of burn-on-read messages by abusing client-side Markdown rendering, bypassing recipient consent on the reveal endpoint.
Affected Products
- Mattermost Server 11.5.0 through 11.5.1
- Mattermost Server 11.4.0 through 11.4.3
- Deployments relying on burn-on-read messaging features
Discovery Timeline
- 2026-05-18 - CVE-2026-6339 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-6339
Vulnerability Analysis
The vulnerability stems from insufficient origin validation on the burn-on-read reveal endpoint in Mattermost Server. Burn-on-read messages are designed to be revealed only when the recipient explicitly chooses to view them. The reveal endpoint does not verify the X-Requested-With header, which is the mechanism Mattermost relies on to confirm that a reveal action originated from an intentional client request rather than an embedded resource load.
An authenticated channel member can craft a Markdown image tag that points its src attribute at the reveal endpoint URL. When another channel member renders the message, their browser issues a GET request to the embedded URL. Because the server does not validate the source of that request, it treats the image fetch as a legitimate reveal action and discloses the protected content.
Root Cause
The root cause is a missing source authentication check [CWE-346] on a state-changing endpoint. The reveal handler accepts any authenticated request without confirming the X-Requested-With header that distinguishes XHR or fetch calls from passive resource loads such as <img> tags.
Attack Vector
Exploitation requires network access and low-privilege authenticated channel membership. The attacker posts a message containing a Markdown image referencing the reveal endpoint of a target burn-on-read message. When the recipient loads the channel, their client automatically fetches the image URL, causing the server to mark the message as revealed and return its content. No user interaction beyond viewing the channel is required.
The vulnerability is described in the Mattermost Security Updates advisory. No public proof-of-concept code is currently available.
Detection Methods for CVE-2026-6339
Indicators of Compromise
- Burn-on-read messages marked as revealed without corresponding user-initiated reveal actions in audit logs
- Markdown image tags in chat messages whose src attribute points to internal Mattermost reveal endpoints
- Reveal endpoint requests missing the expected X-Requested-With: XMLHttpRequest header
Detection Strategies
- Inspect Mattermost access logs for GET requests to the burn-on-read reveal endpoint that originate from image loads, identifiable by Accept: image/* headers
- Correlate reveal events with the recipient's active session activity to identify reveals that occurred without a corresponding UI interaction
- Scan message content for Markdown image references pointing to API or reveal endpoints
Monitoring Recommendations
- Enable verbose audit logging for burn-on-read message lifecycle events including create, view, and reveal
- Alert on anomalous spikes in reveal endpoint requests from a single user or channel
- Forward Mattermost server logs to a centralized SIEM for retention and correlation across users
How to Mitigate CVE-2026-6339
Immediate Actions Required
- Upgrade Mattermost Server to a version above 11.5.1 on the 11.5 branch or above 11.4.3 on the 11.4 branch
- Review recent burn-on-read message audit logs for unauthorized reveals
- Notify users whose burn-on-read messages may have been disclosed during the exposure window
Patch Information
Mattermost has published fixed versions through its security advisory channel. Refer to the Mattermost Security Updates page for the exact patched releases and upgrade instructions. The patch adds validation of the X-Requested-With header on the burn-on-read reveal endpoint to reject requests originating from passive resource loads.
Workarounds
- Restrict use of burn-on-read messaging in sensitive channels until patches are applied
- Apply web application firewall rules that drop reveal endpoint requests lacking X-Requested-With: XMLHttpRequest
- Limit channel membership and posting permissions to reduce the population of users able to embed crafted Markdown
# Example WAF rule to enforce X-Requested-With on the reveal endpoint
# (adapt the path to match your Mattermost API route)
SecRule REQUEST_URI "@rx /api/v[0-9]+/posts/.*/reveal" \
"id:1026339,phase:1,deny,status:403,\
chain,msg:'Block burn-on-read reveal without XHR header'"
SecRule &REQUEST_HEADERS:X-Requested-With "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

