Access Control Flaw in Mattermost Affected Product
CVE-2025-24866

2.7LOW

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 10 April 2025

Summary

A critical access control issue in Mattermost allows users with specific administrative roles to access the /api/v4/audits endpoint. This flaw permits unauthorized retrieval of User Activity Logs by users lacking the required permissions for Compliance Monitoring, potentially compromising sensitive activity data.

Affected Version(s)

Mattermost 9.11.0 <= 9.11.8

Mattermost 10.5.0

Mattermost 9.11.9

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 10, 2025
Vulnerability Reserved
Mar 20, 2025

Credit

BasilJawan