PT-2025-42437 · Mattermost · Mattermost

Lordwillmore

Published

2025-10-16

Updated

2025-11-07

CVE-2025-41443

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.10 Mattermost versions 10.11.x through 10.11.2

Description The software does not properly validate guest user permissions when accessing channel information. This allows guest users to discover active public channels and their metadata. The affected API endpoint is /api/v4/teams/{team id}/channels/ids. The team id is a vulnerable parameter.

Recommendations Update Mattermost to a version later than 10.5.10. Update Mattermost to a version later than 10.11.2.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2025-41443

GHSA-7CR3-38JM-6P45

GO-2025-4031

OPENSUSE-SU-2025:15710-1

Affected Products

Mattermost

PT-2025-42437 · Mattermost · Mattermost

CVE-2025-41443

Weakness Enumeration

Related Identifiers

Affected Products

References · 83