CVE-2025-24526Incorrect Authorization in Mattermost Mattermost-server

CWE-863Incorrect Authorization5 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 64.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedFeb 24
Latest updateMar 3

Description

Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.8+4
Gogithub.com/mattermost_mattermost-server9.11.0-rc1+incompatible9.11.8+incompatible+3
Gogithub.com/mattermost_mattermost_server_v89.11.0-rc19.11.8+4
CVEListV5mattermost/mattermost10.1.010.1.3+4

🔴Vulnerability Details

4
OSV
Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server2025-03-03
OSV
Mattermost fails to restrict channel export of archived channels2025-02-24
GHSA
Mattermost fails to restrict channel export of archived channels2025-02-24
CVEList
Channel export permitted on archived channel when viewing archived channels is disabled2025-02-24
CVE-2025-24526 — Incorrect Authorization | cvebase