Mattermost Incorrect Authorization vulnerability

GHSA-wgvp-jj4w-88hf · CVE-2025-47871 · GO-2025-3797

Published Jun 30, 2025 · Modified Jul 28, 2025

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-47871
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes