Headline
GHSA-wgvp-jj4w-88hf: Mattermost Incorrect Authorization vulnerability
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-47871
Mattermost Incorrect Authorization vulnerability
Moderate severity GitHub Reviewed Published Jun 30, 2025 to the GitHub Advisory Database • Updated Jun 30, 2025
Package
gomod github.com/mattermost/mattermost-server (Go)
Affected versions
< 0.0.0-20250513065225-4ae5d647fb88
Patched versions
0.0.0-20250513065225-4ae5d647fb88
gomod github.com/mattermost/mattermost/server/v8 (Go)
< 8.0.0-20250513065225-4ae5d647fb88
>= 9.11.0, < 9.11.16
>= 10.5.0, < 10.5.6
>= 10.6.0, < 10.6.6
>= 10.7.0, < 10.7.3
>= 10.8.0, < 10.8.1
8.0.0-20250513065225-4ae5d647fb88
9.11.16
10.5.6
10.6.6
10.7.3
10.8.1
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-47871
- https://mattermost.com/security-updates
Published to the GitHub Advisory Database
Jun 30, 2025
Last updated
Jun 30, 2025