CVE-2025-47871

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-47871

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-47871.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-47871

Aliases

Downstream

openSUSE-SU-2025:15405-1

Related

openSUSE-SU-2025:15405-1

Published

2025-06-30T17:15:32.777Z

Modified

2026-03-12T02:18:22.780719993Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type: GIT
Repo: https://github.com/mattermost/mattermost-server
Events: Introduced

0bc2ddd42375a75ab14e63f038165150d4f07659

Fixed

96fdd2b677f28d1375df8dfa88bbc519f32bb3b6

Introduced

58bd34fd34cbd7d3da777d627b6cffdf8a532930

Fixed

2c4a9f9d49d9a6aa94b073e8871ff67e95f8984e

Introduced

5eebc77b68c0c2b63103316e3c92342c13fd93f9

Fixed

303cb88e93f0426657feb473b323d9e22dc0e43c

Introduced

f6b324a9d71843e8f48eba9e90dfbeabcbac1ae7

Fixed

5521da96cf8e84ff3f249ff0e3599d131c05e850

Affected versions

@mattermost/client@10.*

@mattermost/client@10.5.0

@mattermost/client@10.6.0

@mattermost/client@10.7.0

@mattermost/client@9.*

@mattermost/client@9.11.0

@mattermost/types@10.*

@mattermost/types@10.5.0

@mattermost/types@10.6.0

@mattermost/types@10.7.0

@mattermost/types@9.*

@mattermost/types@9.11.0

mattermost-redux@10.*

mattermost-redux@10.6.0

mattermost-redux@10.7.0

v10.*

v10.5.0

v10.5.0-rc6

v10.5.1

v10.5.1-rc1

v10.5.1-rc2

v10.5.2

v10.5.3

v10.5.3-rc1

v10.5.4

v10.5.4-rc1

v10.5.4-rc2

v10.5.5

v10.5.5-rc1

v10.6.0

v10.6.0-rc3

v10.6.1

v10.6.2

v10.6.2-rc1

v10.6.3

v10.6.3-rc1

v10.6.4

v10.6.4-rc1

v10.6.5

v10.7.0

v10.7.0-rc2

v10.7.1

v10.7.2

v10.7.2-rc1

v9.*

v9.11.0

v9.11.0-rc3

v9.11.1

v9.11.1-rc1

v9.11.10

v9.11.10-rc1

v9.11.11

v9.11.11-rc1

v9.11.12

v9.11.12-rc1

v9.11.13

v9.11.13-rc1

v9.11.14

v9.11.15

v9.11.2

v9.11.2-rc1

v9.11.2-rc2

v9.11.3

v9.11.3-rc1

v9.11.3-rc2

v9.11.4

v9.11.4-rc1

v9.11.5

v9.11.5-rc1

v9.11.6

v9.11.6-rc1

v9.11.6-rc2

v9.11.7

v9.11.7-rc1

v9.11.7-rc2

v9.11.7-rc3

v9.11.8

v9.11.9

v9.11.9-rc1

v9.11.9-rc2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-47871.json"