CVE-2024-32046

Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored

Published: Apr 26, 2024
Updated: May 13, 2025
CVE: CVE-2024-32046
GHSA: GHSA-vx97-8q8q-qgq5
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-200
CWE-209

OWASP TOP 10:

A6 - Security Misconfiguration

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost-server	8.1.0	8.1.12
github.com/mattermost/mattermost-server	9.5.0	9.5.3
github.com/mattermost/mattermost-server	9.6.0-rc1	9.6.1
github.com/mattermost/mattermost-server	9.4.0	9.4.5
mattermost / mattermost_server	8.1.0	8.1.12
mattermost / mattermost_server	9.5.0	9.5.3
mattermost / mattermost_server	9.4.0	9.4.5
mattermost / mattermost_server	9.6.0	9.6.1

https://github.com/mattermost/mattermost/commit/2a48b5b3428cae494452125401e4f72780543ac8
https://github.com/mattermost/mattermost/commit/93738756ff79777c6e340c8de63a7b4b0f881d27
https://github.com/mattermost/mattermost/commit/aa222c66b799c12e32eeb8eae6f555bf6140375b
https://github.com/mattermost/mattermost/commit/c84c25b20c8b8726a2f126ae9370a72498096172
https://mattermost.com/security-updates

Vulnerability Database

290,020

CVE-2024-32046