CVE-2025-14350
Last modified
CVE-2025-14350 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563. EPSS estimates a 0.16% chance of exploitation in the next 30 days.
Description
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mattermost | Mattermost Server | >= 10.11.0, < 10.11.10 |
| Mattermost | Mattermost Server | >= 11.1.0, < 11.1.3 |
| Mattermost | Mattermost Server | >= 11.2.0, < 11.2.2 |
References
- https://mattermost.com/security-updatesVendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-14350?
How severe is CVE-2025-14350?
How do I fix CVE-2025-14350?
Are you affected by CVE-2025-14350?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST