CVE-2025-4128

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.4 Mattermost versions 9.11.x through 9.11.13

Description The issue allows guest users to bypass permissions and view information about public teams they are not members of via a direct API call to "/api/v4/teams/{team id}". This is due to a failure to properly restrict API access to team information.

Recommendations For Mattermost versions 10.5.x through 10.5.4, update to a version later than 10.5.4 to resolve the issue. For Mattermost versions 9.11.x through 9.11.13, update to a version later than 9.11.13 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/v4/teams/{team id}" API endpoint to minimize the risk of exploitation.