Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Mattermost: Insiders can discover team existence and URLs
CVE-2025-14350
GHSA-57cc-2pf4-mhmx
Summary
Authenticated users can discover the existence of teams and their URLs by posting a link to a channel and checking the API response. This affects Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, and 11.2.x <= 11.2.1. To fix this, update to the latest version of Mattermost.
What to do
- Update github.com mattermost to version 8.0.0-20251209134645-761e56bb11cc.
- Update github.com mattermost to version 5.3.2-0.20251209134645-761e56bb11cc.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | mattermost | <= 8.0.0-20251209134645-761e56bb11cc | 8.0.0-20251209134645-761e56bb11cc |
| github.com | mattermost | > 11.1.0 , <= 11.1.3 | – |
| github.com | mattermost | > 10.11.0 , <= 10.11.10 | – |
| github.com | mattermost | > 11.2.0 , <= 11.2.2 | – |
| github.com | mattermost | <= 5.3.2-0.20251209134645-761e56bb11cc | 5.3.2-0.20251209134645-761e56bb11cc |
| mattermost | mattermost_server | > 10.11.0 , <= 10.11.10 | – |
| mattermost | mattermost_server | > 11.1.0 , <= 11.1.3 | – |
| mattermost | mattermost_server | > 11.2.0 , <= 11.2.2 | – |
Original title
Mattermost fails to properly validate team membership when processing channel mentions
Original description
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
Published: 16 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026