CVE-2025-11776

Summary

Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the /api/v4/teams/{team_id}/channels/search_archived endpoint

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost<11 <= <11affected
MattermostMattermost11.0.0unaffected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References