Mattermost Playbook Run Metadata Channel Membership Validation Vulnerability

Vulnerability

A vulnerability exists in Mattermost versions 10.5.x through 10.5.5, 9.11.x through 9.11.15, 10.8.x through 10.8.0, 10.7.x through 10.7.2, and 10.6.x through 10.6.5. The issue arises because these versions do not properly validate channel membership when accessing playbook run metadata. This flaw allows authenticated users who are members of a playbook but not of the channel to retrieve sensitive information about linked private channels, such as the channel name, display name, and participant count, via the run metadata API endpoint.

Impact

Exploitation of this vulnerability could lead to unauthorized access to private channel information, including names, display names, and participant counts, for channels linked to playbook runs.

Added: Jun 30, 2025, 5:19 PM

Updated: Jun 30, 2025, 6:50 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Playbook Run Metadata Channel Membership Validation Vulnerability

Vulnerability

Impact

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating