CVE-2025-1792

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.7.x through 10.7.0 Mattermost versions 10.5.x through 10.5.3 Mattermost versions 9.11.x through 9.11.12

Description The issue is related to the failure of Mattermost to properly enforce access controls for guest users accessing channel member information. This allows authenticated guest users to view metadata about members of public channels via the "channel members API endpoint".

Recommendations For versions 10.7.x through 10.7.0, consider restricting access to the channel members API endpoint to prevent guest users from viewing metadata about members of public channels. For versions 10.5.x through 10.5.3, restrict access to the channel members API endpoint to minimize the risk of exploitation. For versions 9.11.x through 9.11.12, limit the access of guest users to the channel members API endpoint until a fix is available.