CVE-2025-11777: Mattermost Incorrect Authorization vulnerability
(updated )
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.
References
- github.com/advisories/GHSA-mqcj-8c2g-h97q
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost/commit/98acefe911dd9de7edf47a7d825dd99f53141a52
- github.com/mattermost/mattermost/commit/ba86dfc5876b354b9d3c20ff45c08ca6f8426149
- github.com/mattermost/mattermost/commit/d72d437f1567ba0b639b6e4fd73bab06c51baab5
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2025-11777
Code Behaviors & Features
Detect and mitigate CVE-2025-11777 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →