Mattermost Access Control Vulnerability for Guest Users in Channel Members API

Vulnerability

A vulnerability exists in Mattermost versions 10.7.x through 10.7.0, 10.5.x through 10.5.3, and 9.11.x through 9.11.12. These versions fail to properly enforce access controls for guest users accessing channel member information. This allows authenticated guest users to view metadata about members of public channels through the channel members API endpoint.

Impact

Exploitation of this vulnerability allows authenticated guest users to access channel member metadata in public channels, bypassing intended access controls.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Access Control Vulnerability for Guest Users in Channel Members API

Vulnerability

Impact

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating