CVE-2023-27266

Name of the Vulnerable Software and Affected Versions Mattermost (affected versions not specified)

Description The issue concerns the /api/v4/users/me/teams API endpoint, where Mattermost fails to honor the ShowEmailAddress setting. This allows an attacker with team admin privileges to obtain the team owner's email address in the response.

Recommendations As a temporary workaround, consider restricting access to the /api/v4/users/me/teams API endpoint until a patch is available. Restrict team admin privileges to minimize the risk of exploitation. Avoid using the email variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.