CVE-2025-24526

Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it

Published: Feb 24, 2025
Updated: Jun 30, 2025
CVE: CVE-2025-24526
GHSA: GHSA-q8p2-2hwc-jw64
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost/server/v8	-	8.0.0-20250110161910-96195f1bd746
github.com/mattermost/mattermost/server/v8	9.11.0-rc1	9.11.8
github.com/mattermost/mattermost/server/v8	10.2.0-rc1	10.2.3
github.com/mattermost/mattermost/server/v8	10.3.0-rc1	10.3.3
github.com/mattermost/mattermost/server/v8	10.4.0-rc1	10.4.2

https://github.com/mattermost/mattermost-plugin-channel-export/commit/3c052b66207fb734bfc4c948941e7f7522a82550
https://github.com/mattermost/mattermost-plugin-channel-export/issues/51
https://github.com/mattermost/mattermost/commit/96195f1bd7467f572525c35b5087acaeb53daa63
https://mattermost.com/security-updates

Vulnerability Database

289,784

CVE-2025-24526