CVE-2025-11777

Summary

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.11.0 <= 10.11.3affected
MattermostMattermost10.5.0 <= 10.5.11affected
MattermostMattermost11.0.0unaffected
MattermostMattermost10.11.4unaffected
MattermostMattermost10.5.12unaffected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References