CVE-2025-1792

Summary

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.5.0 <= 10.5.3affected
MattermostMattermost9.11.0 <= 9.11.12affected
MattermostMattermost10.8.0unaffected
MattermostMattermost10.5.4unaffected
MattermostMattermost9.11.13unaffected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References