CVE-2024-34152 – This vulnerability allows guest users in Matter... (How to Fix)

Q: How do I fix CVE-2024-34152?

1. Backup your Mattermost instance. 2. Download the patched version from Mattermost downloads. 3. Stop the Mattermost service. 4. Replace the installation with the patched version. 5. Restart the Mattermost service. 6. Verify the version is updated.

Q: What is the severity of CVE-2024-34152?

CVE-2024-34152 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows guest users in Mattermost to access metadata of public playbook runs linked to channels they are guests in, bypassing intended access controls. It affects Mattermost versions 9.5.x up to 9.5.3, 9.6.x up to 9.6.1, and 8.1.x up to 8.1.12. The issue occurs when guests send specific GraphQL queries to the server.

📋 TL;DR

This vulnerability allows guest users in Mattermost to access metadata of public playbook runs linked to channels they are guests in, bypassing intended access controls. It affects Mattermost versions 9.5.x up to 9.5.3, 9.6.x up to 9.6.1, and 8.1.x up to 8.1.12. The issue occurs when guests send specific GraphQL queries to the server.

💻 Affected Systems

Products:

Mattermost

Versions: 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12

Operating Systems: All platforms running affected Mattermost versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires guest users and playbook functionality to be enabled. Only affects metadata access, not full playbook content.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Guest users could access sensitive metadata about playbook runs, potentially exposing operational details, timelines, or other confidential information about team workflows and processes.

🟠

Likely Case

Guests gain unauthorized visibility into playbook run metadata, which could reveal information about team activities, project statuses, or operational procedures they shouldn't access.

🟢

If Mitigated

With proper network segmentation and guest user restrictions, impact is limited to metadata exposure within already accessible channels.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires guest user access and knowledge of GraphQL queries. No authentication bypass needed beyond guest privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.5.4, 9.6.2, 8.1.13 or later

Vendor Advisory: https://mattermost.com/security-updates

Restart Required: Yes

Instructions:

1. Backup your Mattermost instance. 2. Download the patched version from Mattermost downloads. 3. Stop the Mattermost service. 4. Replace the installation with the patched version. 5. Restart the Mattermost service. 6. Verify the version is updated.

🔧 Temporary Workarounds

Disable Guest Accounts

all

Temporarily disable guest user functionality to prevent exploitation

Update Mattermost config.json: "EnableGuestAccounts": false

Restrict Playbook Access

all

Limit playbook functionality to specific teams or disable it entirely

System Console > Playbooks > Enable Playbooks: false

🧯 If You Can't Patch

Implement strict network access controls to limit guest user connections
Monitor GraphQL query logs for RHSRuns queries from guest users

🔍 How to Verify

Check if Vulnerable:

Check Mattermost version via System Console > About Mattermost. If version matches affected ranges and guest/playbook features are enabled, system is vulnerable.

Check Version:

From Mattermost CLI: mattermost version or check System Console > About

Verify Fix Applied:

After patching, verify version is 9.5.4+, 9.6.2+, or 8.1.13+. Test with guest account attempting RHSRuns GraphQL query.

📡 Detection & Monitoring

Log Indicators:

GraphQL queries containing 'RHSRuns' from guest users
Unauthorized access attempts to playbook metadata

Network Indicators:

GraphQL API requests to /api/v4/graphql with RHSRuns operation from guest IPs

SIEM Query:

source="mattermost" AND (query="RHSRuns" OR operation="RHSRuns") AND user_role="guest"

📊 Metadata

CVE ID: CVE-2024-34152

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-284

Published: May 26, 2024

Last Updated: September 30, 2025

🔗 References

https://mattermost.com/security-updates Vendor Advisory
https://mattermost.com/security-updates Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34152, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Guest Accounts

Restrict Playbook Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities