Access Control Bypass in Mattermost by Mattermost Inc.
CVE-2025-2564

4.3MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 16 April 2025

Summary

Mattermost versions 10.5.x (up to 10.5.1), 10.4.x (up to 10.4.3), and 9.11.x (up to 9.11.9) are susceptible to an access control bypass. This vulnerability permits authenticated users to access member details and information from archived channels, even when the system console's setting to allow such actions is disabled. As a result, sensitive information may be inadvertently exposed, posing a significant risk to user privacy and data security.

Affected Version(s)

Mattermost 10.5.0 <= 10.5.1

Mattermost 10.4.0 <= 10.4.3

Mattermost 9.11.0 <= 9.11.9

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 16, 2025