CVE-2025-11777 LOW

CVE-2025-11777: Cross-team channel membership access

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published November 13, 2025
Last update November 13, 2025

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint

Key dates

02Disclosure timeline

November 13, 2025 CVE published
November 13, 2025 Record updated