Login Sign Up

CVE-2024-32939

4.3 MEDIUM

📋 TL;DR

This vulnerability in Mattermost exposes remote users' email addresses when shared channels are enabled, even when email visibility is otherwise restricted. It affects organizations using Mattermost with shared channels functionality. The issue allows unauthorized disclosure of sensitive user information.

💻 Affected Systems

Products:
  • Mattermost
Versions: 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2
Operating Systems: All platforms running Mattermost
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when shared channels feature is enabled and configured.

📦 What is this software?

Mattermost by Mattermost

View all CVEs affecting Mattermost →

Mattermost by Mattermost

View all CVEs affecting Mattermost →

Mattermost by Mattermost

View all CVEs affecting Mattermost →

Mattermost by Mattermost

View all CVEs affecting Mattermost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could harvest email addresses of remote users across federated Mattermost instances, enabling targeted phishing campaigns or identity correlation attacks.

🟠

Likely Case

Internal users with access to shared channels could view email addresses of remote users that should be hidden, violating privacy expectations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to information disclosure without system compromise.

🌐 Internet-Facing: MEDIUM - Requires shared channels to be enabled and configured with external instances.
🏢 Internal Only: MEDIUM - Internal users could access sensitive information they shouldn't see.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to Mattermost instance with shared channels enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.9.2, 9.5.8, 9.10.1, 9.8.3

Vendor Advisory: https://mattermost.com/security-updates

Restart Required: Yes

Instructions:

1. Backup your Mattermost instance. 2. Download and install the patched version from Mattermost releases. 3. Restart the Mattermost service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Shared Channels

all

Temporarily disable shared channels feature to prevent exposure of email addresses.

mmctl config set ServiceSettings.EnableSharedChannels false

🧯 If You Can't Patch

  • Disable shared channels feature immediately
  • Implement strict access controls and monitor user activity logs

🔍 How to Verify

Check if Vulnerable:

Check Mattermost version and verify if shared channels are enabled in System Console > Environment > Shared Channels.

Check Version:

mmctl version

Verify Fix Applied:

Verify version is updated to patched version and test that remote user email addresses are properly redacted.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to user profile data
  • Multiple queries for remote user information

Network Indicators:

  • Increased API calls to user endpoints from shared channel participants

SIEM Query:

source="mattermost" AND (event="user_viewed" OR event="profile_viewed") AND remote_user=true

📊 Metadata

CVE ID: CVE-2024-32939
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-284
Published: August 22, 2024
Last Updated: August 23, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32939, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)