Mattermost Fails to Properly Perform Viewer Role Authorization

GHSA-fqrq-xmxj-v47x · CVE-2025-1472 · GO-2025-3534

Published Mar 19, 2025 · Modified Mar 25, 2025

Description

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-1472
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes