CVE-2025-1792

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.

Published: May 30, 2025
Updated: Jun 30, 2025
CVE: CVE-2025-1792
GHSA: GHSA-hc6v-386m-93pq
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost/server/v8	10.6.0-rc1	10.7.1
github.com/mattermost/mattermost/server/v8	10.0.0-rc1	10.5.4
github.com/mattermost/mattermost/server/v8	9.0.0-rc1	9.11.13
github.com/mattermost/mattermost/server/v8	-	8.0.0-20250414110750-c23f44fe8ed0

https://github.com/mattermost/mattermost/commit/c23f44fe8ed02f71d506f99adc30ad34c58c89d1
https://mattermost.com/security-updates

Vulnerability Database

289,697

CVE-2025-1792