Low severityNVD Advisory· Published May 30, 2025· Updated Jun 12, 2025
Improper Access Control in Mattermost Channel Member API
CVE-2025-1792
Description
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 10.6.0-rc1, < 10.7.1 | 10.7.1 |
github.com/mattermost/mattermost/server/v8Go | >= 10.0.0-rc1, < 10.5.4 | 10.5.4 |
github.com/mattermost/mattermost/server/v8Go | >= 9.0.0-rc1, < 9.11.13 | 9.11.13 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250414110750-c23f44fe8ed0 | 8.0.0-20250414110750-c23f44fe8ed0 |
Affected products
1- Range: 10.5.0
Patches
1c23f44fe8ed0MM-63316: Guest access to channel (#30467)
3 files changed · +52 −0
server/channels/api4/channel.go+7 −0 modified@@ -1846,6 +1846,13 @@ func addChannelMember(c *Context, w http.ResponseWriter, r *http.Request) { return } + // Security check: if the user is a guest, they must have access to the channel + // to view its members + if c.AppContext.Session().IsGuest() && !c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), c.Params.ChannelId, model.PermissionReadChannel) { + c.SetPermissionError(model.PermissionReadChannel) + return + } + if channel.Type == model.ChannelTypeDirect || channel.Type == model.ChannelTypeGroup { c.Err = model.NewAppError("addUserToChannel", "api.channel.add_user_to_channel.type.app_error", nil, "", http.StatusBadRequest) return
server/channels/api4/channel_test.go+37 −0 modified@@ -4091,6 +4091,43 @@ func TestAddChannelMemberFromThread(t *testing.T) { require.Truef(t, caught, "User should have received %s event", model.WebsocketEventThreadUpdated) } +func TestAddChannelMemberGuestAccessControl(t *testing.T) { + th := Setup(t).InitBasic() + defer th.TearDown() + + // Enable guest accounts and add license + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.GuestAccountsSettings.Enable = true + }) + th.App.Srv().SetLicense(model.NewTestLicense()) + + // Create a guest user + guest, guestClient := th.CreateGuestAndClient() + + // Create a public channel to which the guest doesn't belong + publicChannel := th.CreatePublicChannel() + + // Try to add another user to the channel using the guest's client + // This should fail with a permission error, validating our fix + _, resp, err := guestClient.AddChannelMember(context.Background(), publicChannel.Id, th.BasicUser2.Id) + require.Error(t, err) + CheckForbiddenStatus(t, resp) + + // Also verify that using user IDs in the request body doesn't bypass the check + _, resp, err = guestClient.AddChannelMembers(context.Background(), publicChannel.Id, "", []string{th.BasicUser2.Id}) + require.Error(t, err) + CheckForbiddenStatus(t, resp) + + // Verify that the guest can get channel members for channels they belong to + channelWithGuest := th.CreatePublicChannel() + th.AddUserToChannel(guest, channelWithGuest) + + // Guest should be able to read members of channels they belong to + members, _, err := guestClient.GetChannelMembers(context.Background(), channelWithGuest.Id, 0, 100, "") + require.NoError(t, err) + require.NotEmpty(t, members) +} + func TestAddChannelMemberAddMyself(t *testing.T) { th := Setup(t).InitBasic() defer th.TearDown()
server/public/model/session.go+8 −0 modified@@ -254,6 +254,14 @@ func (s *Session) IsSSOLogin() bool { return s.IsOAuthUser() || s.IsSaml() } +func (s *Session) IsGuest() bool { + val, ok := s.Props[SessionPropIsGuest] + if !ok { + return false + } + return val == "true" +} + func (s *Session) GetUserRoles() []string { return strings.Fields(s.Roles) }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.