We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-47871

Mattermost Playbooks exposes private channel metadata to unauthorized users via run metadata API



Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint.

Reserved 2025-05-23 | Published 2025-06-30 | Updated 2025-06-30 | Assigner Mattermost


MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-863: Incorrect Authorization

Product status

Default status
unaffected

10.5.0
affected

9.11.0
affected

10.8.0
affected

10.7.0
affected

10.6.0
affected

10.9.0
unaffected

10.5.6
unaffected

9.11.16
unaffected

10.8.1
unaffected

10.7.3
unaffected

10.6.6
unaffected

Credits

Leandro Chaves (brdoors3) finder

References

mattermost.com/security-updates

cve.org (CVE-2025-47871)

nvd.nist.gov (CVE-2025-47871)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-47871

Support options

Helpdesk Chat, Email, Knowledgebase