CVE-2025-1792: Mattermost fails to properly enforce access controls for guest users

The vulnerability, CVE-2025-1792, concerns Mattermost's failure to properly enforce access controls for guest users, allowing them to access channel member information illicitly. The provided commit c23f44fe8ed02f71d506f99adc30ad34c58c89d1 directly addresses this issue by modifying the addChannelMember function within server/channels/api4/channel.go.

The analysis of the patch reveals that a crucial security check was missing in the addChannelMember function. This check, now added, verifies if the session user is a guest and, if so, whether they possess the model.PermissionReadChannel for the channel in question. The absence of this check meant that guest users could call the API endpoint associated with addChannelMember for any channel, including those they should not have access to. This could lead to several exploit scenarios, such as inferring channel or member existence, or potentially altering membership in a way that reveals information, thus 'viewing metadata' indirectly as described in the vulnerability.

The function github.com/mattermost/mattermost/server/v8/channels/api4.addChannelMember is identified as vulnerable (in its pre-patch state) because it processed requests related to channel membership without adequate permission validation for guest users. The introduction of the IsGuest() check combined with SessionHasPermissionToChannel rectifies this specific flaw. While the vulnerability description mentions 'viewing metadata' and 'channel members API endpoint' (plural or general), this commit specifically patches the addChannelMember function, making it a concrete example of where the access control was lacking. This function would appear in a runtime profile if this specific part of the vulnerability was triggered or exploited.