CVE-2025-11776: Mattermost fails to properly restrict access to archived channel search API

November 14, 2025

Mattermost versions < 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the /api/v4/teams/{team_id}/channels/search_archived endpoint

References

github.com/advisories/GHSA-j6gg-r5jc-47cm
github.com/mattermost/mattermost/commit/c8d66301415d5b447df0e829bdbaa92e8a83ecf8
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-11776

Code Behaviors & Features

Detect and mitigate CVE-2025-11776 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →