Mattermost Incorrect Authorization vulnerability

GHSA-mqcj-8c2g-h97q · CVE-2025-11777 · GO-2025-4122

Published Nov 13, 2025 · Modified Nov 17, 2025

Description

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.

References

3.1 / 10

LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected Packages

Go/github.com/mattermost/mattermost

Fix 5.3.2-0.20250905150616-ba86dfc5876b

Introduced 0

Go/github.com/mattermost/mattermost-server

Fix 10.11.4, 10.5.12, 5.3.2-0.20250905150616-ba86dfc5876b

Introduced 0, 10.11.0, 10.5.0

Go/github.com/mattermost/mattermost-server/v5

Fix 5.3.2-0.20250905150616-ba86dfc5876b

Introduced 0

Go/github.com/mattermost/mattermost-server/v6

Fix 5.3.2-0.20250905150616-ba86dfc5876b

Introduced 0

Go/github.com/mattermost/mattermost/server/v8

Fix 8.0.0-20250905150616-ba86dfc5876b

Introduced 0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes