PT-2025-48275 · Mattermost · Mattermost
Hainguyen0207
·
Published
2025-10-28
·
Updated
2026-01-06
·
CVE-2025-12559
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 10.5.x through 10.5.12
Mattermost versions 10.11.x through 10.11.4
Mattermost versions 10.12.x through 10.12.1
Mattermost versions 11.0.x through 11.0.2
Description
The software does not properly restrict access to team email addresses. Specifically, it fails to ensure that team email addresses are only visible to Team Admins. Any authenticated user can view these email addresses by sending a GET request to the
/api/v4/channels/{channel id}/common teams API endpoint. The channel id variable is used in the request.Recommendations
Update Mattermost to a version later than 10.5.12.
Update Mattermost to a version later than 10.11.4.
Update Mattermost to a version later than 10.12.1.
Update Mattermost to a version later than 11.0.2.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost