Listen to this Post
Mattermost fails to validate user permissions when accessing group data via API endpoints. The vulnerability occurs due to improper permission checks in the `getGroup` and `listGroups` API functions, allowing unauthorized users to retrieve sensitive group metadata. Attackers can craft HTTP requests to `/api/v4/groups` or `/api/v4/groups/{group_id}` without proper role validation, exposing group names, member counts, and visibility settings. The flaw stems from missing `requireUserPermissions()` middleware in affected versions (10.5.0–10.5.2, 9.11.0–9.11.11). Exploitation requires a valid low-privilege session but no group-admin rights.
DailyCVE Form:
Platform: Mattermost
Version: 10.5.0–10.5.2
Vulnerability: Group permission bypass
Severity: Moderate
Date: 2025-05-15
What Undercode Say:
Exploit:
curl -X GET "http://target.com/api/v4/groups" -H "Authorization: Bearer LOW_PRIV_TOKEN"
Detection:
grep -r "requireUserPermissions" /path/to/mattermost/server/api4/group.go
Mitigation:
1. Upgrade to patched versions (10.5.3/9.11.12).
2. Apply runtime patch:
// Add to group.go
func requireGroupAdmin(c Context) {
if !c.App.SessionHasPermissionToGroup(c.AppContext.Session(), c.Params.GroupId, model.PermissionManageGroup) {
c.SetPermissionError(model.PermissionManageGroup)
}
}
Log Analysis:
SELECT FROM audit_logs WHERE endpoint LIKE '%/api/v4/groups%' AND status_code = 200;
WAF Rule:
location ~ /api/v4/groups {
if ($http_authorization !~ "admin|system_admin") {
return 403;
}
}
Impact Assessment:
Check group exposure
import requests
headers = {"Authorization": "Bearer USER_TOKEN"}
r = requests.get("http://mattermost/api/v4/groups", headers=headers)
assert "groups" not in r.json(), "Vulnerable"
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
