CVE-2025-11777

EUVD-2025-175343
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
MattermostCNA
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Affected Products (NVD)
VendorProductVersion
mattermostmattermost_server
10.5.0 ≤
𝑥
< 10.5.12
mattermostmattermost_server
10.11.0 ≤
𝑥
< 10.11.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mattermost.com/security-updates