CVE-2025-14350 — Missing Authorization in Mattermost Mattermost-server

CWE-862 — Missing Authorization6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 90.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedFeb 16

Latest updateFeb 23

Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server10.11.0 — 10.11.10+2

▶Gogithub.com/mattermost_mattermost-server< 5.3.2-0.20251209134645-761e56bb11cc+6

▶Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20251209134645-761e56bb11cc

▶CVEListV5mattermost/mattermost11.1.0 — 11.1.2+2

🔴Vulnerability Details

OSV

Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server↗2026-02-23

▶

OSV

Mattermost fails to properly validate team membership when processing channel mentions↗2026-02-16

▶

CVEList

Information disclosure via channel mentions in posts↗2026-02-16

▶

GHSA

Mattermost fails to properly validate team membership when processing channel mentions↗2026-02-16

▶

🕵️Threat Intelligence

Wiz

CVE-2025-14350 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶