CVE-2025-9081: Mattermost boards plugin fails to restrict download access to files

The vulnerability lies in the Mattermost boards plugin's failure to properly restrict access to file downloads, allowing any authenticated user to access sensitive files. This is a classic case of a missing authorization check, specifically a CWE-639: Authorization Bypass Through User-Controlled Key. An attacker can exploit this by making requests to the board's file download endpoint while enumerating file UUIDs.

The analysis of the provided patch commit 3f3e3becfe1d66db0d0f4fd235f04afd6e1ec40b reveals that the vulnerability is addressed by adding an ownership validation check in two key functions: API.getFileInfo and App.GetFile.

1. API.getFileInfo in server/api/files.go: This function is an API endpoint that was modified to include a call to the newly added ValidateFileOwnership function. Before the patch, this function would retrieve file information without verifying if the file belonged to the specified board, making it a primary entry point for the vulnerability.

2. App.GetFile in server/app/files.go: This function, which is responsible for retrieving the file itself, was also patched to include the ValidateFileOwnership check. This prevents the actual download of the file if the user is not authorized.

The patch introduces the ValidateFileOwnership function, which checks if a file is referenced by the blocks within a specific board. This ensures that a user can only access files that are part of a board they have access to.

Therefore, any runtime profile during the exploitation of this vulnerability would show calls to API.getFileInfo and App.GetFile as these are the functions that process the malicious request and, prior to the patch, failed to perform the necessary access control checks.