CVE-2025-47871 — Incorrect Authorization in Mattermost Mattermost-server

CWE-863 — Incorrect Authorization5 documents4 sources

Severity

5.4MEDIUMNVD

CNA4.3

EPSS

0.1%

top 79.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedJun 30

Latest updateJul 28

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.16+4

▶Gogithub.com/mattermost_mattermost-server9.11.0+incompatible — 9.11.16+incompatible+5

▶Gogithub.com/mattermost_mattermost_server_v89.11.0 — 9.11.16+5

▶CVEListV5mattermost/mattermost10.5.0 — 10.5.5+4

🔴Vulnerability Details

OSV

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server↗2025-07-28

▶

GHSA

Mattermost Incorrect Authorization vulnerability↗2025-06-30

▶

OSV

Mattermost Incorrect Authorization vulnerability↗2025-06-30

▶

CVEList

Mattermost Playbooks exposes private channel metadata to unauthorized users via run metadata API↗2025-06-30

▶