Moderate severityNVD Advisory· Published Feb 16, 2026· Updated Feb 17, 2026
Information disclosure via channel mentions in posts
CVE-2025-14350
Description
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20251209134645-761e56bb11cc | 8.0.0-20251209134645-761e56bb11cc |
github.com/mattermost/mattermost-serverGo | >= 11.1.0 | — |
github.com/mattermost/mattermost-serverGo | >= 10.11.0 | — |
github.com/mattermost/mattermost-serverGo | >= 11.2.0 | — |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20251209134645-761e56bb11cc | 5.3.2-0.20251209134645-761e56bb11cc |
Affected products
1- Range: 11.1.0
Patches
1761e56bb11cc[MM-66791] Add permission check before resolving channel mentions (#34679)
2 files changed · +63 −1
server/channels/app/post.go+1 −1 modified@@ -491,7 +491,7 @@ func (a *App) FillInPostProps(rctx request.CTX, post *model.Post, channel *model } for _, mentioned := range mentionedChannels { - if mentioned.Type == model.ChannelTypeOpen { + if mentioned.Type == model.ChannelTypeOpen && a.HasPermissionToReadChannel(rctx, post.UserId, mentioned) { team, err := a.Srv().Store().Team().Get(mentioned.TeamId) if err != nil { rctx.Logger().Warn("Failed to get team of the channel mention", mlog.String("team_id", channel.TeamId), mlog.String("channel_id", channel.Id), mlog.Err(err))
server/channels/app/post_test.go+62 −0 modified@@ -3118,6 +3118,68 @@ func TestFillInPostProps(t *testing.T) { assert.Nil(t, post1.GetProp(model.PostPropsAIGeneratedByUserID)) assert.Nil(t, post1.GetProp(model.PostPropsAIGeneratedByUsername)) }) + + t.Run("should not populate channel mentions for channels in teams where the user is not a member", func(t *testing.T) { + mainHelper.Parallel(t) + th := Setup(t).InitBasic(t) + + user1 := th.BasicUser + user2 := th.BasicUser2 + + team2 := th.CreateTeam(t) + th.LinkUserToTeam(t, user2, team2) + + // Create a channel in team2 which user1 is not a member of + channel2, err := th.App.CreateChannel(th.Context, &model.Channel{ + DisplayName: "Channel in Team 2", + Name: "channel-in-team-2", + Type: model.ChannelTypeOpen, + TeamId: team2.Id, + CreatorId: user2.Id, + }, false) + require.Nil(t, err) + + dmChannelBetweenUser1AndUser2 := th.CreateDmChannel(t, user2) + + post, err := th.App.CreatePost(th.Context, &model.Post{ + UserId: user1.Id, + ChannelId: dmChannelBetweenUser1AndUser2.Id, + Message: "Testing out i should not be able to mention channel2 from team2? ~" + channel2.Name, + }, dmChannelBetweenUser1AndUser2, model.CreatePostFlags{SetOnline: true}) + require.Nil(t, err) + + err = th.App.FillInPostProps(th.Context, post, dmChannelBetweenUser1AndUser2) + require.Nil(t, err) + + mentions := post.GetProp(model.PostPropsChannelMentions) + require.Nil(t, mentions) + }) + + t.Run("should populate channel mentions for channels in teams where the user is a member", func(t *testing.T) { + mainHelper.Parallel(t) + th := Setup(t).InitBasic(t) + + user1 := th.BasicUser + user2 := th.BasicUser2 + + channel := th.CreateChannel(t, th.BasicTeam) + + dmChannel := th.CreateDmChannel(t, user2) + + post, err := th.App.CreatePost(th.Context, &model.Post{ + UserId: user1.Id, + ChannelId: dmChannel.Id, + Message: "Check out ~" + channel.Name, + }, dmChannel, model.CreatePostFlags{SetOnline: true}) + require.Nil(t, err) + + mentions := post.GetProp(model.PostPropsChannelMentions) + require.NotNil(t, mentions) + + mentionsMap, ok := mentions.(map[string]any) + require.True(t, ok) + require.Contains(t, mentionsMap, channel.Name) + }) } func TestThreadMembership(t *testing.T) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-57cc-2pf4-mhmxghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-14350ghsaADVISORY
- github.com/mattermost/mattermost/commit/761e56bb11ccb751ddbe4bab5898ccc2b384fd82ghsaWEB
News mentions
0No linked articles in our index yet.