CVE-2025-11776

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions prior to 11

Description The software does not properly restrict access to the archived channel search API. This allows guest users to discover archived public channels using the /api/v4/teams/{team id}/channels/search archived API endpoint. The vulnerable parameter is team id.

Recommendations Update to version 11 or later.

Fix

Incorrect Authorization

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-284

Related Identifiers

BDU:2025-16013

CVE-2025-11776

GHSA-J6GG-R5JC-47CM

GO-2025-4126

Affected Products

Mattermost

CVE-2025-11776

Weakness Enumeration

Related Identifiers

Affected Products

References · 11