CVE-2025-41443
📋 TL;DR
This vulnerability allows guest users in Mattermost to discover active public channels and their metadata through an API endpoint, bypassing intended permission controls. It affects Mattermost instances running vulnerable versions where guest accounts are enabled. The issue stems from improper validation of guest user permissions when accessing channel information.
💻 Affected Systems
- Mattermost
📦 What is this software?
Mattermost Server by Mattermost
Mattermost Server by Mattermost
⚠️ Risk & Real-World Impact
Worst Case
Guest users could map all public channels in an organization, potentially identifying sensitive team structures, project names, or organizational information that should remain hidden from guests.
Likely Case
Guest users gain visibility into public channels they shouldn't have access to, potentially learning about internal team structures or project names.
If Mitigated
Limited information disclosure with no ability to access channel content or perform actions beyond viewing metadata.
🎯 Exploit Status
Exploitation requires a valid guest account. The vulnerability is straightforward to exploit once guest access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.5.13, 10.11.3, or later
Vendor Advisory: https://mattermost.com/security-updates
Restart Required: No
Instructions:
1. Upgrade Mattermost to version 10.5.13, 10.11.3, or later. 2. No restart required - the fix applies immediately after upgrade.
🔧 Temporary Workarounds
Disable Guest Accounts
allTemporarily disable guest account functionality to prevent exploitation
Edit Mattermost configuration to set 'EnableGuestAccounts' to false
Restrict API Access
allBlock access to the vulnerable endpoint for guest users via web application firewall or reverse proxy rules
Configure WAF/reverse proxy to block POST requests to /api/v4/teams/*/channels/ids from guest user sessions
🧯 If You Can't Patch
- Disable guest accounts entirely until patching is possible
- Implement network segmentation to restrict guest user access to only necessary endpoints
🔍 How to Verify
Check if Vulnerable:
Check Mattermost version via System Console > About. If version is 10.5.0-10.5.12 or 10.11.0-10.11.2 with guest accounts enabled, the system is vulnerable.Check Version:
Check System Console > About in Mattermost web interface or run: SELECT Value FROM Systems WHERE Name='Version' in Mattermost databaseVerify Fix Applied:
After upgrade, verify version is 10.5.13+, 10.11.3+, or later. Test with a guest account that the /api/v4/teams/{team_id}/channels/ids endpoint properly restricts access.📡 Detection & Monitoring
Log Indicators:
- Multiple 200 OK responses to /api/v4/teams/*/channels/ids from guest user accounts
- Unusual volume of channel metadata requests from guest accounts
Network Indicators:
- Guest accounts making POST requests to channel ID enumeration endpoints
- Pattern of guest users accessing multiple team channel endpoints
SIEM Query:
source="mattermost" AND path="/api/v4/teams/*/channels/ids" AND user_role="guest" AND response_status=200