3.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-1792

CVE-2025-1792: Mattermost fails to properly enforce access controls for guest users

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-1792

CVE-2025-1792:

3.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost/server/v8	go	>= 10.6.0-rc1, < 10.7.1	10.7.1
github.com/mattermost/mattermost/server/v8	go	>= 10.0.0-rc1, < 10.5.4	10.5.4
github.com/mattermost/mattermost/server/v8	go	>= 9.0.0-rc1, < 9.11.13	9.11.13
github.com/mattermost/mattermost/server/v8	go	< 8.0.0-20250414110750-c23f44fe8ed0	8.0.0-20250414110750-c23f44fe8ed0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, CVE-2025-1792, concerns Mattermost's failure to properly enforce access controls for guest users, allowing them to access channel member information illicitly. The provided commit c23f44fe8ed02f71d506f99adc30ad34c58c89d1 directly addresses this issue by modifying the addChannelMember function within server/channels/api4/channel.go.

The analysis of the patch reveals that a crucial security check was missing in the addChannelMember function. This check, now added, verifies if the session user is a guest and, if so, whether they possess the model.PermissionReadChannel for the channel in question. The absence of this check meant that guest users could call the API endpoint associated with addChannelMember for any channel, including those they should not have access to. This could lead to several exploit scenarios, such as inferring channel or member existence, or potentially altering membership in a way that reveals information, thus 'viewing metadata' indirectly as described in the vulnerability.

The function github.com/mattermost/mattermost/server/v8/channels/api4.addChannelMember is identified as vulnerable (in its pre-patch state) because it processed requests related to channel membership without adequate permission validation for guest users. The introduction of the IsGuest() check combined with SessionHasPermissionToChannel rectifies this specific flaw. While the vulnerability description mentions 'viewing metadata' and 'channel members API endpoint' (plural or general), this commit specifically patches the addChannelMember function, making it a concrete example of where the access control was lacking. This function would appear in a runtime profile if this specific part of the vulnerability was triggered or exploited.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-1792: Mattermost fails to properly enforce access controls for guest users

CVE-2025-1792:

3.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

3.1

3.1

CVE-2025-1792: Mattermost fails to properly enforce access controls for guest users

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI