CVE-2025-47871 MEDIUM

CVE-2025-47871: Mattermost Playbooks exposes private channel metadata to unauthorized users via run metadata API

Vendor Mattermost

Product Mattermost

Weakness CWE-863 · Incorrect authorization

Published June 30, 2025

Last update June 30, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint.

Key dates

02Disclosure timeline

June 30, 2025 CVE published

June 30, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-47871

Related vulnerabilities

Identifiers

CVE CVE-2025-47871

CWE CWE-863

CVSS 4.3 / MEDIUM

Affected versions

Vendor Mattermost

Product Mattermost

Affected ≥ 10.5.0 and ≤ 10.5.5

Vendor Mattermost

Product Mattermost

Affected ≥ 9.11.0 and ≤ 9.11.15

Vendor Mattermost

Product Mattermost

Affected 10.8.0

Vendor Mattermost

Product Mattermost

Affected ≥ 10.7.0 and ≤ 10.7.2

Vendor Mattermost

Product Mattermost

Affected ≥ 10.6.0 and ≤ 10.6.5

CVE-2025-47871: Mattermost Playbooks exposes private channel metadata to unauthorized users via run metadata API

01Description

02Disclosure timeline

03References

04Related CVE