1+ {
2+ "schema_version" : " 1.4.0"
3+ "id" : " GHSA-mqcj-8c2g-h97q"
4+ "modified" : " 2025-11-14T15:54:51Z"
5+ "published" : " 2025-11-13T18:31:05Z"
6+ "aliases" : [
7+ " CVE-2025-11777"
8+ ],
9+ "summary" : " Mattermost Incorrect Authorization vulnerability"
10+ "details" : " Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint."
11+ "severity" : [
12+ {
13+ "type" : " CVSS_V3"
14+ "score" : " CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
15+ }
16+ ],
17+ "affected" : [
18+ {
19+ "package" : {
20+ "ecosystem" : " Go"
21+ "name" : " github.com/mattermost/mattermost-server"
22+ },
23+ "ranges" : [
24+ {
25+ "type" : " ECOSYSTEM"
26+ "events" : [
27+ {
28+ "introduced" : " 10.11.0"
29+ },
30+ {
31+ "fixed" : " 10.11.4"
32+ }
33+ ]
34+ }
35+ ]
36+ },
37+ {
38+ "package" : {
39+ "ecosystem" : " Go"
40+ "name" : " github.com/mattermost/mattermost-server"
41+ },
42+ "ranges" : [
43+ {
44+ "type" : " ECOSYSTEM"
45+ "events" : [
46+ {
47+ "introduced" : " 10.5.0"
48+ },
49+ {
50+ "fixed" : " 10.5.12"
51+ }
52+ ]
53+ }
54+ ]
55+ },
56+ {
57+ "package" : {
58+ "ecosystem" : " Go"
59+ "name" : " github.com/mattermost/mattermost/server/v8"
60+ },
61+ "ranges" : [
62+ {
63+ "type" : " ECOSYSTEM"
64+ "events" : [
65+ {
66+ "introduced" : " 0"
67+ },
68+ {
69+ "fixed" : " 8.0.0-20250905150616-ba86dfc5876b"
70+ }
71+ ]
72+ }
73+ ]
74+ },
75+ {
76+ "package" : {
77+ "ecosystem" : " Go"
78+ "name" : " github.com/mattermost/mattermost"
79+ },
80+ "ranges" : [
81+ {
82+ "type" : " ECOSYSTEM"
83+ "events" : [
84+ {
85+ "introduced" : " 0"
86+ },
87+ {
88+ "fixed" : " 5.3.2-0.20250905150616-ba86dfc5876b"
89+ }
90+ ]
91+ }
92+ ]
93+ },
94+ {
95+ "package" : {
96+ "ecosystem" : " Go"
97+ "name" : " github.com/mattermost/mattermost-server"
98+ },
99+ "ranges" : [
100+ {
101+ "type" : " ECOSYSTEM"
102+ "events" : [
103+ {
104+ "introduced" : " 0"
105+ },
106+ {
107+ "fixed" : " 5.3.2-0.20250905150616-ba86dfc5876b"
108+ }
109+ ]
110+ }
111+ ]
112+ },
113+ {
114+ "package" : {
115+ "ecosystem" : " Go"
116+ "name" : " github.com/mattermost/mattermost-server/v5"
117+ },
118+ "ranges" : [
119+ {
120+ "type" : " ECOSYSTEM"
121+ "events" : [
122+ {
123+ "introduced" : " 0"
124+ },
125+ {
126+ "fixed" : " 5.3.2-0.20250905150616-ba86dfc5876b"
127+ }
128+ ]
129+ }
130+ ]
131+ },
132+ {
133+ "package" : {
134+ "ecosystem" : " Go"
135+ "name" : " github.com/mattermost/mattermost-server/v6"
136+ },
137+ "ranges" : [
138+ {
139+ "type" : " ECOSYSTEM"
140+ "events" : [
141+ {
142+ "introduced" : " 0"
143+ },
144+ {
145+ "fixed" : " 5.3.2-0.20250905150616-ba86dfc5876b"
146+ }
147+ ]
148+ }
149+ ]
150+ }
151+ ],
152+ "references" : [
153+ {
154+ "type" : " ADVISORY"
155+ "url" : " https://nvd.nist.gov/vuln/detail/CVE-2025-11777"
156+ },
157+ {
158+ "type" : " WEB"
159+ "url" : " https://github.com/mattermost/mattermost/commit/98acefe911dd9de7edf47a7d825dd99f53141a52"
160+ },
161+ {
162+ "type" : " WEB"
163+ "url" : " https://github.com/mattermost/mattermost/commit/ba86dfc5876b354b9d3c20ff45c08ca6f8426149"
164+ },
165+ {
166+ "type" : " WEB"
167+ "url" : " https://github.com/mattermost/mattermost/commit/d72d437f1567ba0b639b6e4fd73bab06c51baab5"
168+ },
169+ {
170+ "type" : " PACKAGE"
171+ "url" : " https://github.com/mattermost/mattermost"
172+ },
173+ {
174+ "type" : " WEB"
175+ "url" : " https://mattermost.com/security-updates"
176+ }
177+ ],
178+ "database_specific" : {
179+ "cwe_ids" : [
180+ " CWE-863"
181+ ],
182+ "severity" : " LOW"
183+ "github_reviewed" : true ,
184+ "github_reviewed_at" : " 2025-11-14T15:54:50Z"
185+ "nvd_published_at" : " 2025-11-13T18:15:49Z"
186+ }
187+ }
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments