CVE-2025-1792: Mattermost fails to properly enforce access controls for guest users

May 30, 2025

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.

References

github.com/advisories/GHSA-hc6v-386m-93pq
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/c23f44fe8ed02f71d506f99adc30ad34c58c89d1
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-1792

Code Behaviors & Features

Detect and mitigate CVE-2025-1792 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →