Primary

Context

Mattermost API Team Information Exposure Vulnerability for Guest Users

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.5.x through 10.5.4 and 9.11.x through 9.11.13, allowing guest users to bypass permissions and access information about public teams they do not belong to. This issue arises from improper restrictions on API access to team data, enabling unauthorized visibility through direct calls to the teams API endpoint.

Impact

Exploitation of this vulnerability allows unauthorized access to team information, potentially leading to privacy violations by disclosing details about public teams that a user is not a member of.

Remediation

Users can upgrade to Mattermost versions 10.9.0 or 10.8.0 to address this vulnerability.

Added: Jun 11, 2025, 11:17 AM

Updated: Jun 11, 2025, 11:17 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.4

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.4

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost API Team Information Exposure Vulnerability for Guest Users

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating