CVE-2025-11776
📋 TL;DR
Mattermost versions before 11 have an authorization bypass vulnerability where guest users can discover archived public channels through a specific API endpoint. This allows unauthorized access to channel metadata that should remain hidden. Organizations using Mattermost for team collaboration with guest users are affected.
💻 Affected Systems
- Mattermost
📦 What is this software?
Mattermost Server by Mattermost
⚠️ Risk & Real-World Impact
Worst Case
Guest users could map organizational structure by discovering archived channels containing sensitive project names, team compositions, or historical discussions, potentially enabling social engineering or targeted attacks.
Likely Case
Guest users inadvertently or intentionally discover archived channel names and metadata, violating intended access controls and potentially exposing organizational information that should remain private.
If Mitigated
With proper network segmentation and guest user restrictions, impact is limited to information disclosure of archived channel names only, not message content.
🎯 Exploit Status
Exploitation requires guest user credentials and knowledge of the API endpoint. Simple HTTP requests can trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Mattermost 11.0.0 and later
Vendor Advisory: https://mattermost.com/security-updates
Restart Required: Yes
Instructions:
1. Backup your Mattermost database and configuration. 2. Download Mattermost 11.0.0 or later from official sources. 3. Stop Mattermost service. 4. Replace existing installation with new version. 5. Restart Mattermost service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable Guest Accounts
allTemporarily disable guest user functionality to prevent exploitation
Edit config.json: set 'EnableGuestAccounts' to false
Restart Mattermost service
API Endpoint Restriction
linuxBlock access to the vulnerable endpoint using web server or firewall rules
nginx: location ~* /api/v4/teams/.*/channels/search_archived { deny all; }
apache: <LocationMatch "/api/v4/teams/.*/channels/search_archived"> Require all denied </LocationMatch>
🧯 If You Can't Patch
- Implement network segmentation to restrict guest user access to Mattermost API endpoints
- Enable detailed logging for API access attempts and monitor for suspicious search patterns
🔍 How to Verify
Check if Vulnerable:
Check Mattermost version via System Console > About or run: mattermost version. If version is below 11.0.0, system is vulnerable.Check Version:
mattermost versionVerify Fix Applied:
After patching, attempt to access /api/v4/teams/{team_id}/channels/search_archived as guest user - should receive 403 Forbidden.📡 Detection & Monitoring
Log Indicators:
- Multiple 200 OK responses to /api/v4/teams/*/channels/search_archived from guest users
- Unusual search patterns from guest accounts
Network Indicators:
- HTTP GET requests to search_archived endpoint from guest user IPs
- Increased API calls to channels endpoints
SIEM Query:
source="mattermost.log" AND (uri_path="/api/v4/teams/*/channels/search_archived" AND user_role="guest")