Primary

Context

Mattermost Authorization Bypass Vulnerability in Private Channels

Vulnerability

Patched

An authorization bypass vulnerability has been identified in Mattermost versions 10.5.x through 10.5.6, 10.8.x through 10.8.1, 10.7.x through 10.7.3, and 9.11.x through 9.11.16. This vulnerability allows authenticated users to access posts in private channels by guessing the PendingPostID of recently created posts. The issue arises because the application fails to properly verify authorization when retrieving cached posts by PendingPostID.

Impact

Exploitation of this vulnerability allows unauthorized access to private channel posts, enabling users to read sensitive information they should not have access to.

Remediation

Users can upgrade to Mattermost versions 10.9.0, 10.8.2, 10.7.4, or 9.11.17 to address this vulnerability.

Added: Jul 18, 2025, 9:17 AM

Updated: Jul 18, 2025, 9:17 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Authorization Bypass Vulnerability in Private Channels

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating