CVE-2025-1472
📋 TL;DR
Mattermost versions 9.11.x through 9.11.8 have an authorization flaw where users with the Viewer role configured with 'No Access to Reporting' can still view team and site statistics. This affects organizations using Mattermost for team collaboration where Viewer roles are configured with restricted reporting permissions.
💻 Affected Systems
- Mattermost Team Edition
- Mattermost Enterprise Edition
📦 What is this software?
Mattermost Server by Mattermost
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could access sensitive team performance metrics, user activity statistics, or operational data that should be restricted to administrators or specific roles.
Likely Case
Viewers with restricted reporting permissions could access basic team statistics and site usage data that should be hidden from them.
If Mitigated
Limited exposure of non-critical operational metrics to unauthorized users, with no access to sensitive data like messages, files, or user credentials.
🎯 Exploit Status
Requires authenticated access with Viewer role. Exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.11.9 or later
Vendor Advisory: https://mattermost.com/security-updates
Restart Required: Yes
Instructions:
1. Backup your Mattermost instance. 2. Download Mattermost 9.11.9 or later from mattermost.com/download. 3. Stop Mattermost service. 4. Replace existing installation with new version. 5. Restart Mattermost service. 6. Verify version is updated.
🔧 Temporary Workarounds
Temporarily restrict Viewer role access
allModify Viewer role permissions to remove access to statistics pages until patched
Use Mattermost System Console > User Management > Permissions to adjust Viewer role settings
🧯 If You Can't Patch
- Review and audit all users with Viewer roles to ensure they should have access to statistics
- Implement network segmentation to restrict access to Mattermost statistics endpoints
🔍 How to Verify
Check if Vulnerable:
Check Mattermost version via System Console > About Mattermost. If version is between 9.11.0 and 9.11.8, you are vulnerable.Check Version:
In Mattermost System Console: System Console > About MattermostVerify Fix Applied:
After patching, verify version is 9.11.9 or later. Test with a Viewer role account configured with 'No Access to Reporting' to confirm statistics are inaccessible.📡 Detection & Monitoring
Log Indicators:
- Audit logs showing Viewer role users accessing /api/v4/stats endpoints
- Access logs showing statistics page views from unauthorized users
Network Indicators:
- HTTP requests to statistics endpoints from users with Viewer roles
SIEM Query:
source="mattermost" AND (uri_path="/api/v4/stats" OR uri_path="/admin_console/reporting") AND user_role="viewer"