CVE-2025-14350

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-14350
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-14350.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-14350
Aliases
Downstream
Related
Published
2026-02-16T12:05:33.312Z
Modified
2026-05-18T05:59:11.431053161Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Information disclosure via channel mentions in posts
Details

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563

Database specific 
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "11.1.0"
                },
                {
                    "last_affected": "11.1.2"
                },
                {
                    "introduced": "10.11.0"
                },
                {
                    "last_affected": "10.11.9"
                },
                {
                    "introduced": "11.2.0"
                },
                {
                    "last_affected": "11.2.1"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/14xxx/CVE-2025-14350.json",
    "cna_assigner": "Mattermost",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost
Events
Introduced
5b955468ea1ea8b56c0fb10feb258a36a767d7bb
Fixed
ba27ba1f8cb1ffe2b1a79dc3d15a3ffa7de12fd7
Introduced
e62f350cd7a896c45a0e025f44cb8915f5597854
Fixed
7d0e4261dd4bc45162be3183ac19241f43a3f994
Introduced
ab7b138824c61fe1fe815243d7e2a914dec49c8b
Fixed
cfbe9d9254d4903777fab5957924d260cb5b74ff
Database specific 
{
    "cpe": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "10.11.0"
        },
        {
            "fixed": "10.11.10"
        },
        {
            "introduced": "11.1.0"
        },
        {
            "fixed": "11.1.3"
        },
        {
            "introduced": "11.2.0"
        },
        {
            "fixed": "11.2.2"
        }
    ]
}

Affected versions

@mattermost/client@10.*
@mattermost/client@10.11.0
@mattermost/client@11.*
@mattermost/client@11.1.0
@mattermost/types@10.*
@mattermost/types@10.11.0
@mattermost/types@11.*
@mattermost/types@11.1.0
mattermost-redux@10.*
mattermost-redux@10.11.0
mattermost-redux@11.*
mattermost-redux@11.1.0
v10.*
v10.11.0
v10.11.0-rc3
v10.11.1
v10.11.1-rc1
v10.11.2
v10.11.2-rc1
v10.11.2-rc2
v10.11.3
v10.11.4
v10.11.4-rc1
v10.11.4-rc2
v10.11.4-rc3
v10.11.5
v10.11.6
v10.11.7
v10.11.8
v10.11.9
v10.11.9-rc1
v11.*
v11.1.0
v11.1.0-rc4
v11.1.1
v11.1.1-rc1
v11.1.1-rc2
v11.1.2
v11.1.2-rc1
v11.2.0
v11.2.1
v11.2.1-rc1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-14350.json"