CVE-2025-0503

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.x through 9.11.6

Description The issue allows an attacker to infer user IDs and other metadata from deleted direct messages (DMs) if someone had manually marked DMs as deleted in the database. This is possible because the software fails to filter out DMs from the deleted channels endpoint.

Recommendations For Mattermost versions 9.11.x through 9.11.6, consider restricting access to the deleted channels endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.