CVE-2025-41436 — Incorrect Authorization in Mattermost Mattermost-server

CWE-863 — Incorrect Authorization5 documents4 sources

Severity

4.3MEDIUMNVD

CNA3.1

EPSS

0.0%

top 93.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedNov 14

Latest updateNov 18

Description

Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server< 11.0.0

▶Gogithub.com/mattermost_mattermost-server< 11.0.0-alpha.1+incompatible+1

▶Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20250815165020-c8d66301415d

▶CVEListV5mattermost/mattermost<11.0

🔴Vulnerability Details

OSV

Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server↗2025-11-18

▶

GHSA

Mattermost allows regular users to access archived channel content and files↗2025-11-14

▶

CVEList

Unauthorized access to archived channel content via threads interface↗2025-11-14

▶

OSV

Mattermost allows regular users to access archived channel content and files↗2025-11-14

▶