CVE-2025-47871

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.5.x through 10.5.5 Mattermost versions 9.11.x through 9.11.15 Mattermost versions 10.8.x through 10.8.0 Mattermost versions 10.7.x through 10.7.2 Mattermost versions 10.6.x through 10.6.5

Description: The issue is related to the improper validation of channel membership when retrieving playbook run metadata. This allows authenticated users who are playbook members but not channel members to access sensitive information about linked private channels, including channel name, display name, and participant count, through the run metadata API endpoint.

Recommendations: For Mattermost versions 10.5.x through 10.5.5, update to a version later than 10.5.5 to resolve the issue. For Mattermost versions 9.11.x through 9.11.15, update to a version later than 9.11.15 to resolve the issue. For Mattermost versions 10.8.x through 10.8.0, update to a version later than 10.8.0 to resolve the issue. For Mattermost versions 10.7.x through 10.7.2, update to a version later than 10.7.2 to resolve the issue. For Mattermost versions 10.6.x through 10.6.5, update to a version later than 10.6.5 to resolve the issue. As a temporary workaround, consider restricting access to the run metadata API endpoint until a patch is available.