CVE-2025-41436: Mattermost allows regular users to access archived channel content and files

November 14, 2025 (updated November 17, 2025)

Mattermost versions < 11.0 fail to properly enforce the “Allow users to view archived channels” setting which allows regular users to access archived channel content and files via the “Open in Channel” functionality from followed threads

References

github.com/advisories/GHSA-x3hx-ch7p-8xgg
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/c8d66301415d5b447df0e829bdbaa92e8a83ecf8
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-41436

Code Behaviors & Features

Detect and mitigate CVE-2025-41436 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →