CVE-2025-24866
Unauthorized Access to User Activity Logs API by delegated granular administration roles
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Unauthorized Access to User Activity Logs API by delegated granular administration roles
Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs.
Reserved 2025-03-20 | Published 2025-04-10 | Updated 2025-04-10 | Assigner MattermostCWE-863: Incorrect Authorization
BasilJawan
mattermost.com/security-updates
Support options
