Listen to this Post
How the CVE Works:
Mattermost versions 10.5.x (<= 10.5.4) and 9.11.x (<= 9.11.13) contain an improper access control flaw in the `/api/v4/teams/{team_id}` endpoint. Guest users, who should only access teams they are explicitly added to, can bypass restrictions by sending a direct API request. The system fails to validate team membership for guest accounts when querying public team details, exposing metadata such as team names, display names, and other non-sensitive but restricted information. This occurs due to missing validation checks in the team permission layer before returning API responses.
DailyCVE Form:
Platform: Mattermost
Version: 10.5.4, 9.11.13
Vulnerability: Information Disclosure
Severity: Low
Date: Jun 11, 2025
Prediction: Patch by Jul 10, 2025
What Undercode Say:
Exploitation:
1. Curl Command to Test Vulnerability:
curl -X GET "http://<target>/api/v4/teams/<team_id>" -H "Authorization: Bearer <guest_token>"
2. Expected Response (Unauthorized Data Leak):
{"id":"team_id","name":"public_team","display_name":"Public Team"}
Mitigation:
1. Temporary Workaround:
location /api/v4/teams {
deny all;
}
2. Upgrade Check Command:
dpkg -l | grep mattermost | awk '{print $3}'
Detection:
1. Log Analysis for Suspicious Requests:
grep "GET /api/v4/teams" /var/log/mattermost/access.log | grep "guest"
Patch Analysis:
1. Expected Fix:
// Pseudocode for patch
if user.IsGuest() && !user.HasTeamAccess(teamID) {
return ErrorForbidden()
}
Post-Patch Verification:
1. Test Patch Effectiveness:
curl -I "http://<target>/api/v4/teams/<team_id>" -H "Authorization: Bearer <guest_token>"
Expected Response: `HTTP/1.1 403 Forbidden`
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
