CVE-2025-12559
📋 TL;DR
This vulnerability allows any authenticated Mattermost user to view team email addresses that should only be visible to Team Admins. The information disclosure occurs through the GET /api/v4/channels/{channel_id}/common_teams endpoint. Affected organizations are those running vulnerable Mattermost versions with authenticated user access.
💻 Affected Systems
- Mattermost
📦 What is this software?
Mattermost Server by Mattermost
Mattermost Server by Mattermost
Mattermost Server by Mattermost
Mattermost Server by Mattermost
⚠️ Risk & Real-World Impact
Worst Case
Sensitive team email addresses are exposed to all authenticated users, potentially enabling social engineering attacks, targeted phishing campaigns, or unauthorized contact with team administrators.
Likely Case
Unauthorized users gain visibility into team contact information that should be restricted, violating privacy expectations and potentially enabling unwanted communications.
If Mitigated
With proper access controls and monitoring, the impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via the documented API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Upgrade to Mattermost 11.0.3, 10.12.2, 10.11.5, or 10.5.13
Vendor Advisory: https://mattermost.com/security-updates
Restart Required: Yes
Instructions:
1. Backup your Mattermost database and configuration. 2. Download the patched version from Mattermost downloads. 3. Stop the Mattermost service. 4. Replace the Mattermost binary/files with the patched version. 5. Restart the Mattermost service. 6. Verify the version is updated.
🔧 Temporary Workarounds
API Endpoint Restriction
allRestrict access to the vulnerable API endpoint using web application firewall or reverse proxy rules.
# Example nginx location block to restrict /api/v4/channels/*/common_teams
location ~ ^/api/v4/channels/[^/]+/common_teams$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual API calls to the /api/v4/channels/{channel_id}/common_teams endpoint.
- Review and minimize user permissions, ensuring only necessary users have authenticated access to the Mattermost instance.
🔍 How to Verify
Check if Vulnerable:
Check your Mattermost version via System Console > About or run: mattermost versionCheck Version:
mattermost versionVerify Fix Applied:
After patching, verify the version is updated and test that authenticated non-admin users cannot access team email addresses via the API endpoint.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /api/v4/channels/*/common_teams from non-admin users
- Unusual pattern of API calls to team-related endpoints
Network Indicators:
- HTTP 200 responses from /api/v4/channels/{channel_id}/common_teams to non-admin users
SIEM Query:
source="mattermost" AND (uri_path="/api/v4/channels/*/common_teams" OR uri_path LIKE "/api/v4/channels/%/common_teams") AND http_method="GET" AND user_role!="admin"