Guest User Permission Flaw in Mattermost Software
CVE-2025-41443

4.3MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-41443?

A vulnerability exists in Mattermost software that allows guest users to bypass intended access controls, potentially leading to unauthorized discovery of public channels and their associated metadata. Specifically, certain versions of Mattermost fail to properly validate guest user permissions when accessing channel data through the API endpoint. This flaw may expose sensitive information about active public channels to unauthorized users.

Affected Version(s)

Mattermost 10.5.0 <= 10.5.10

Mattermost 10.11.0 <= 10.11.2

Mattermost 10.12.0

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Sep 16, 2025

Credit

lordwillmore

JSON