CVE-2025-14350
📋 TL;DR
This vulnerability allows authenticated Mattermost users to discover the existence of teams and their URL names by posting channel shortlinks and observing API responses. It affects Mattermost instances running vulnerable versions, potentially exposing internal team structure information to authenticated users who shouldn't have that visibility.
💻 Affected Systems
- Mattermost
📦 What is this software?
Mattermost Server by Mattermost
Mattermost Server by Mattermost
Mattermost Server by Mattermost
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could map all teams in the organization, potentially identifying sensitive project teams, leadership channels, or restricted groups that should remain hidden.
Likely Case
Authenticated users can discover team names and URLs they shouldn't have access to, leading to information disclosure about organizational structure.
If Mitigated
With proper access controls and monitoring, the impact is limited to information disclosure about team existence rather than actual content access.
🎯 Exploit Status
Exploitation requires authenticated access and involves posting channel shortlinks and observing API responses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to Mattermost 11.1.3, 10.11.10, or 11.2.2 or later
Vendor Advisory: https://mattermost.com/security-updates
Restart Required: Yes
Instructions:
1. Backup your Mattermost database and configuration. 2. Download the patched version from Mattermost releases. 3. Stop Mattermost service. 4. Replace with patched version. 5. Restart Mattermost service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable channel mentions
allTemporarily disable channel mention functionality to prevent exploitation
Edit config.json: set "EnableChannelMentions" to false
🧯 If You Can't Patch
- Restrict user permissions to minimize who can post channel mentions
- Implement network segmentation to limit access to Mattermost API endpoints
🔍 How to Verify
Check if Vulnerable:
Check Mattermost version via System Console > About or run: mattermost versionCheck Version:
mattermost versionVerify Fix Applied:
Verify version is 11.1.3+, 10.11.10+, or 11.2.2+ and test channel mention functionality📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of channel mention API calls
- Multiple failed team/channel discovery attempts
Network Indicators:
- Increased API calls to channel_mentions endpoint
- Patterns of shortlink posting followed by API queries
SIEM Query:
source="mattermost" AND (api_path="/api/v4/posts" OR api_path="/api/v4/channels") AND (message="channel_mentions" OR message="shortlink")