VYPR
Moderate severityNVD Advisory· Published Nov 14, 2025· Updated Nov 14, 2025

Guest user can discover archived public channels

CVE-2025-11776

Description

Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the /api/v4/teams/{team_id}/channels/search_archived endpoint

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20250815165020-c8d66301415d8.0.0-20250815165020-c8d66301415d
github.com/mattermost/mattermostGo
< 5.3.2-0.20250815165020-c8d66301415d5.3.2-0.20250815165020-c8d66301415d
github.com/mattermost/mattermost-serverGo
< 5.3.2-0.20250815165020-c8d66301415d5.3.2-0.20250815165020-c8d66301415d
github.com/mattermost/mattermost-server/v5Go
< 5.3.2-0.20250815165020-c8d66301415d5.3.2-0.20250815165020-c8d66301415d
github.com/mattermost/mattermost-server/v6Go
< 5.3.2-0.20250815165020-c8d66301415d5.3.2-0.20250815165020-c8d66301415d

Affected products

6

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.

CVE-2025-11776 · moderate · VYPR