CVE-2025-47871 – This vulnerability allows authenticated Matterm... (How to Fix)

Q: How do I fix CVE-2025-47871?

1. Backup your Mattermost installation and database. 2. Download the patched version from mattermost.com/download. 3. Stop the Mattermost service. 4. Replace the installation with the patched version. 5. Restart the Mattermost service. 6. Verify the version is updated.

Q: What is the severity of CVE-2025-47871?

CVE-2025-47871 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows authenticated Mattermost users who are members of a playbook but not members of a linked private channel to access sensitive information about that channel through the run metadata API endpoint. Affected users are those running vulnerable Mattermost versions with playbooks and private channels configured.

📋 TL;DR

This vulnerability allows authenticated Mattermost users who are members of a playbook but not members of a linked private channel to access sensitive information about that channel through the run metadata API endpoint. Affected users are those running vulnerable Mattermost versions with playbooks and private channels configured.

💻 Affected Systems

Products:

Mattermost

Versions: 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5

Operating Systems: All platforms running Mattermost

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Mattermost Playbooks plugin and private channels to be in use. The vulnerability exists in the API endpoint handling playbook run metadata.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized disclosure of private channel names, display names, and participant counts could enable targeted social engineering, reconnaissance for further attacks, or exposure of confidential team structures.

🟠

Likely Case

Internal users accidentally or intentionally accessing metadata about private channels they shouldn't see, potentially violating data privacy policies or exposing organizational structures.

🟢

If Mitigated

Limited exposure of non-critical metadata with no access to actual channel content or messages.

🌐 Internet-Facing: MEDIUM - While exploitation requires authentication, exposed Mattermost instances could allow external attackers who obtain credentials to gather intelligence about internal structures.

🏢 Internal Only: MEDIUM - Internal users with legitimate access could abuse this to map organizational structures or gather information about teams they're not authorized to see.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires authenticated access and knowledge of playbook IDs, but API calls are straightforward.

Exploitation requires valid user credentials and access to a playbook that links to private channels.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Mattermost 10.5.6, 9.11.16, 10.8.1, 10.7.3, 10.6.6 or later

Vendor Advisory: https://mattermost.com/security-updates

Restart Required: Yes

Instructions:

1. Backup your Mattermost installation and database. 2. Download the patched version from mattermost.com/download. 3. Stop the Mattermost service. 4. Replace the installation with the patched version. 5. Restart the Mattermost service. 6. Verify the version is updated.

🔧 Temporary Workarounds

Disable Playbooks Plugin

all

Temporarily disable the Playbooks plugin to prevent exploitation while planning upgrade.

mmctl plugin disable playbooks

Restrict API Access

all

Use network controls or WAF to restrict access to the playbook run metadata API endpoint.

🧯 If You Can't Patch

Implement strict access controls and monitor for unusual API calls to playbook endpoints.
Audit user permissions and ensure least privilege access to playbooks and channels.

🔍 How to Verify

Check if Vulnerable:

Check Mattermost version via System Console > About or run: mmctl version

Check Version:

mmctl version

Verify Fix Applied:

Verify version is patched (10.5.6+, 9.11.16+, 10.8.1+, 10.7.3+, or 10.6.6+) and test that non-channel members cannot retrieve private channel metadata via playbook run API.

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to /plugins/playbooks/api/v0/runs/{id}/metadata from users not in corresponding private channels
Multiple failed permission checks for channel membership

Network Indicators:

HTTP GET requests to playbook run metadata endpoints returning 200 OK for users without channel access

SIEM Query:

source="mattermost" AND (uri_path="/plugins/playbooks/api/v0/runs/*/metadata" OR message="channel membership check")

📊 Metadata

CVE ID: CVE-2025-47871

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-863

EPSS Score: 0.04% exploit probability (12.5th percentile)

Published: June 30, 2025

Last Updated: July 8, 2025

🔗 References

https://mattermost.com/security-updates Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47871, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Playbooks Plugin

Restrict API Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities