Listen to this Post
The vulnerability exists in the access control mechanism for the Agents plugin within Mattermost. The flaw allows any authenticated user to access channel member objects, which contain metadata about when a user last read a specific channel. Normally, this information should be restricted. However, due to improper permission checks on the plugin’s API endpoints, an attacker can send crafted HTTP requests to retrieve these objects. By analyzing the `last_viewed_at` timestamps within the returned data, the attacker can determine the exact time other users read messages in a channel, leading to an information disclosure of user activity patterns without proper authorization.
Platform: Mattermost
Version: <=10.11.3, <=10.5.11
Vulnerability : Information Disclosure
Severity: Low
date: 2025-11-18
Prediction: 2025-12-02
What Undercode Say:
`curl -H “Authorization: Bearer
`grep -oP ‘”last_viewed_at”:”[^”]+”‘ response.json`
How Exploit:
Malicious actor authenticates to the Mattermost server. They then directly call the Agents plugin API endpoint, querying for channel member objects. The API returns the objects containing `last_viewed_at` timestamps for all users in the channel, revealing their read times.
Protection from this CVE
Update Mattermost to a patched version once available. Immediately restrict or disable the Agents plugin if it is non-essential. Implement network-level access controls to limit plugin API exposure.
Impact:
Unauthorized disclosure of user channel read timestamps. Potential for inferring user activity and availability. Violation of user privacy expectations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
