CVE-2025-11777 — Incorrect Authorization in Mattermost Mattermost

CWE-863 — Incorrect Authorization5 documents4 sources

Severity

4.3MEDIUMNVD

CNA3.1

EPSS

0.0%

top 93.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost-server V5 +4 more

Timeline

PublishedNov 13

Latest updateNov 17

Description

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages7 packages

▶NVDmattermost/mattermost_server10.5.0 — 10.5.12+1

▶Gogithub.com/mattermost_mattermost< 5.3.2-0.20250905150616-ba86dfc5876b

▶Gogithub.com/mattermost_mattermost-server10.5.0+incompatible — 10.5.12+incompatible+4

▶Gogithub.com/mattermost_mattermost-server_v5< 5.3.2-0.20250905150616-ba86dfc5876b

▶Gogithub.com/mattermost_mattermost-server_v6< 5.3.2-0.20250905150616-ba86dfc5876b

🔴Vulnerability Details

OSV

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost↗2025-11-17

▶

CVEList

Cross-team channel membership access↗2025-11-13

▶

OSV

Mattermost Incorrect Authorization vulnerability↗2025-11-13

▶

GHSA

Mattermost Incorrect Authorization vulnerability↗2025-11-13

▶