Mattermost Team Admin Privilege Escalation Vulnerability in Private Channels

Vulnerability

A vulnerability exists in Mattermost versions 9.11.x prior to 9.11.8, where the application fails to require explicit approval before assigning a team admin to a private channel. This oversight allows team admins to join private channels through specially crafted permalink links without the consent of the channel admins.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing a team admin to access private channels without proper approval.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

6.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

6.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Team Admin Privilege Escalation Vulnerability in Private Channels

Vulnerability

Impact

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating