Listen to this Post
Mattermost versions 9.11.0 to 9.11.8 fail to enforce proper access controls on the `/api/v4/audits` endpoint. This vulnerability allows users with delegated granular administration roles—but without explicit Compliance Monitoring permissions—to access User Activity Logs. The API endpoint improperly checks user privileges, permitting unauthorized data exposure. Attackers exploiting this flaw could retrieve sensitive audit logs, potentially exposing user actions, timestamps, and system events. The issue stems from insufficient role validation before granting access to audit data.
DailyCVE Form:
Platform: Mattermost
Version: 9.11.0-9.11.8
Vulnerability: Improper Access Control
Severity: Low
Date: Apr 10, 2025
What Undercode Say:
Exploitation:
1. Attacker authenticates with low-privilege admin role.
2. Sends GET request to `/api/v4/audits`.
3. Extracts logs despite lacking Compliance Monitoring rights.
Detection:
curl -X GET -H "Authorization: Bearer <TOKEN>" https://<mattermost-host>/api/v4/audits
Mitigation:
1. Upgrade to Mattermost 9.11.9+.
2. Restrict `/api/v4/audits` via reverse proxy:
location /api/v4/audits { deny all; }
3. Audit delegated admin roles:
SELECT FROM Roles WHERE Permissions LIKE '%compliance%';
Log Analysis:
grep "GET /api/v4/audits" /var/log/mattermost/access.log
Workaround:
Revoke granular admin roles until patched.
Impact:
- Unauthorized log access.
- Potential data leakage.
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- NVD: CVE-2025-XXXX
References:
Reported By: https://github.com/advisories/GHSA-xfq9-hh5x-xfq9
Extra Source Hub:
Undercode
