Mattermost has an Incorrect Authorization vulnerability
Low severity
GitHub Reviewed
Published
Oct 16, 2025
to the GitHub Advisory Database
•
Updated Oct 16, 2025
Description
Published by the National Vulnerability Database
Oct 16, 2025
Published to the GitHub Advisory Database
Oct 16, 2025
Reviewed
Oct 16, 2025
Last updated
Oct 16, 2025
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the
/api/v4/channels/{channel_id}/membersendpointReferences