-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/mattermost/mattermost/server/v8 | go | < 8.1.8 | 8.1.8 |
| github.com/mattermost/mattermost/server/v8 | go | >= 9.0.0, < 9.3.0 | 9.3.0 |
Miggo AIRoot Cause AnalysisThe vulnerability explicitly references the POST /api/v4/channels/stats/member_count endpoint leaking data due to missing permission checks. In Mattermost's architecture: 1) API handlers are typically mapped in api4/*.go files, 2) channel-related endpoints are in channel.go, 3) handler functions follow naming conventions like handlePost[Resource][Action], and 4) the core failure matches a missing authorization middleware call (e.g., requireChannelMemberPermissions) before executing the stats retrieval logic. While the exact code isn't shown, the endpoint specificity and Mattermost's pattern of route-handler mapping make this a high-confidence identification.