Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2025-03-19T15:15:53Z", "cwe_ids": [ "CWE-863" ], "github_reviewed_at": "2025-03-19T21:52:19Z" }