Mattermost Fails to Verify User's Permissions When Accessing Groups
Moderate severity
GitHub Reviewed
Published
May 15, 2025
to the GitHub Advisory Database
•
Updated May 17, 2025
Package
Affected versions
>= 10.5.0, <= 10.5.2
>= 9.11.0, <= 9.11.11
< 8.0.0-20250411064244-844447fbd57c
Patched versions
10.5.3
9.11.12
8.0.0-20250411064244-844447fbd57c
Description
Published by the National Vulnerability Database
May 15, 2025
Published to the GitHub Advisory Database
May 15, 2025
Reviewed
May 17, 2025
Last updated
May 17, 2025
Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request.
References