CVE-2025-24866

CVSS v3.1

2.7

Low

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.11.x through 9.11.8

Description: The issue is related to improper access controls on the "/api/v4/audits" endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs.

Recommendations: For Mattermost versions 9.11.x through 9.11.8, consider restricting access to the "/api/v4/audits" endpoint until a patch is available. As a temporary workaround, review and adjust the delegated granular administration roles to ensure proper access controls are in place.

Fix

LPE

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2025-24866

GHSA-XFQ9-HH5X-XFQ9

GO-2025-3604

OPENSUSE-SU-2025:15017-1

Affected Products

Mattermost

CVE-2025-24866

Weakness Enumeration

Related Identifiers

Affected Products

References · 40