VYPR
Low severityNVD Advisory· Published Nov 13, 2025· Updated Nov 13, 2025

Cross-team channel membership access

CVE-2025-11777

Description

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost-serverGo
>= 10.11.0, < 10.11.410.11.4
github.com/mattermost/mattermost-serverGo
>= 10.5.0, < 10.5.1210.5.12
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20250905150616-ba86dfc5876b8.0.0-20250905150616-ba86dfc5876b
github.com/mattermost/mattermostGo
< 5.3.2-0.20250905150616-ba86dfc5876b5.3.2-0.20250905150616-ba86dfc5876b
github.com/mattermost/mattermost-serverGo
< 5.3.2-0.20250905150616-ba86dfc5876b5.3.2-0.20250905150616-ba86dfc5876b
github.com/mattermost/mattermost-server/v5Go
< 5.3.2-0.20250905150616-ba86dfc5876b5.3.2-0.20250905150616-ba86dfc5876b
github.com/mattermost/mattermost-server/v6Go
< 5.3.2-0.20250905150616-ba86dfc5876b5.3.2-0.20250905150616-ba86dfc5876b

Affected products

7

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.