Insertion of Sensitive Information Into Sent Data Affecting github.com/mattermost/mattermost/server/v8/channels/api4 package, versions >=10.11.0 <10.11.17>=11.5.0 <11.5.5>=11.6.0 <11.6.2>=11.7.0-rc1 <11.7.0-rc3


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.26% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMMATTERMOSTMATTERMOSTSERVERV8CHANNELSAPI4-17661022
  • published28 Jun 2026
  • disclosed12 Jun 2026
  • creditwinfunc

Introduced: 12 Jun 2026

NewCVE-2026-7184  (opens in a new tab)
CWE-201  (opens in a new tab)

How to fix?

Upgrade github.com/mattermost/mattermost/server/v8/channels/api4 to version 10.11.17, 11.5.5, 11.6.2, 11.7.0-rc3 or higher.

Overview

github.com/mattermost/mattermost/server/v8/channels/api4 is a platform for secure collaboration across the entire software development lifecycle

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the Remote Cluster PATCH API response due to insufficient sanitization of sensitive information. An attacker can access authentication tokens by sending a PATCH request to the remote cluster endpoint if they possess the manage_secure_connections permission. This is only exploitable if the attacker is an authenticated user with the required permission.

CVSS Base Scores

version 4.0
version 3.1