Mattermost Improper Access Control Vulnerability in Audits API Endpoint

Vulnerability

A vulnerability exists in Mattermost versions 9.11.x prior to 9.11.8, where the application fails to enforce proper access controls on the /api/v4/audits endpoint. This flaw allows users with delegated granular administration roles, who do not have access to Compliance Monitoring, to retrieve User Activity Logs.

Impact

Exploitation of this vulnerability could lead to unauthorized access to User Activity Logs by users with certain administrative roles.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Improper Access Control Vulnerability in Audits API Endpoint

Vulnerability

Impact

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating