CVE-2025-1792Incorrect Authorization in Mattermost Mattermost-server

CWE-863Incorrect Authorization5 documents4 sources
Severity
3.1LOWNVD
EPSS
0.1%
top 66.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedMay 30
Latest updateJun 3

Description

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.13+2
Gogithub.com/mattermost_mattermost-server9.0.0-rc1+incompatible9.11.13+incompatible+2
Gogithub.com/mattermost_mattermost_server_v810.6.0-rc110.7.1+3
CVEListV5mattermost/mattermost10.5.010.5.3+1

🔴Vulnerability Details

4
OSV
Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server2025-06-03
GHSA
Mattermost fails to properly enforce access controls for guest users2025-05-30
OSV
Mattermost fails to properly enforce access controls for guest users2025-05-30
CVEList
Improper Access Control in Mattermost Channel Member API2025-05-30
CVE-2025-1792 — Incorrect Authorization | cvebase