CVE-2024-23488

Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled.

Published: Feb 29, 2024
Updated: May 4, 2025
CVE: CVE-2024-23488
GHSA: GHSA-xgxj-j98c-59rv
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost/server/v8	9.0.0	9.4.2
github.com/mattermost/mattermost/server/v8	-	8.1.9
mattermost / mattermost_server	-	8.1.9
mattermost / mattermost_server	9.0.0	9.4.2

https://mattermost.com/security-updates

Vulnerability Database

289,784

CVE-2024-23488