CVE-2025-27933 is an access control flaw in Mattermost where improper enforcement of channel conversion permissions allows users with “Convert Public to Private” privileges to also convert private channels back to public, bypassing intended restrictions. The vulnerability arises due to missing server-side validation when handling channel visibility toggle requests. Attackers exploiting this could expose sensitive discussions from private channels by forcibly making them public. The issue affects Mattermost versions 10.4.2 and below, 10.3.3 and below, and 9.11.8 and below.
The exploit occurs when a malicious or compromised user with channel management permissions sends a crafted API request to `/api/v4/channels/{channel_id}/convert` without proper privilege checks. The server fails to verify if the user has explicit “Convert Private to Public” rights, relying only on the broader “Manage Public Channel” role assignment. This allows privilege escalation through channel permission abuse.
DailyCVE Form:
Platform: Mattermost
Version: <=10.4.2, <=10.3.3, <=9.11.8
Vulnerability: Improper Access Control
Severity: Medium
Date: 03/27/2025
What Undercode Say:
Exploitation:
1. Craft Malicious Request:
curl -X POST -H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"type":"P"}' \
https://TARGET/api/v4/channels/CHANNEL_ID/convert
2. Verify Exploit:
curl -s https://TARGET/api/v4/channels/CHANNEL_ID | jq .type
Output `”P”` confirms private→public conversion.
Mitigation:
1. Patch Upgrade:
For Docker deployments: docker pull mattermost/mattermost-team-edition:10.4.3
2. Temporary Workaround:
-- Revoke convert permissions via database: UPDATE Roles SET Permissions = REPLACE(Permissions, 'convert_public_channel', '') WHERE Name = 'channel_admin';
Detection:
1. Audit Logs for Suspicious Activity:
grep -r "action:channel_convert" /opt/mattermost/logs/
2. Check Channel History:
SELECT Name, Type, LastConvertedAt FROM Channels WHERE Type = 'P' ORDER BY LastConvertedAt DESC;
References:
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-27933
Extra Source Hub:
Undercode
