Moderate severityNVD Advisory· Published Mar 21, 2025· Updated Mar 21, 2025

Unauthorized Private-to-Public Channel Conversion

CVE-2025-27933

Description

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/mattermost/mattermost/server/v8Go	>= 10.4.0, < 10.4.3	10.4.3
github.com/mattermost/mattermost/server/v8Go	>= 10.3.0, < 10.3.4	10.3.4
github.com/mattermost/mattermost/server/v8Go	>= 9.11.0, < 9.11.9	9.11.9
github.com/mattermost/mattermost-serverGo	< 9.11.9	9.11.9
github.com/mattermost/mattermost/server/v8Go	< 8.0.0-20250218135018-e644e3c8e393	8.0.0-20250218135018-e644e3c8e393

Affected products

Mattermost/Mattermostv5
Range: 10.4.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-h5v9-xw2g-7hrqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-27933ghsaADVISORY
mattermost.com/security-updatesghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000