CVE-2025-27571: Channel metadata visible in archived channels despite configuration setting
First published: Wed Apr 16 2025(Updated: )
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived.
Credit: responsibledisclosure@mattermost.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mattermost | <=10.5.1<=10.4.3<=9.11.9 | |
| go/github.com/mattermost/mattermost/server/v8 | <8.0.0-20250314142426-c049748b8863 | 8.0.0-20250314142426-c049748b8863 |
| go/github.com/mattermost/mattermost/server/v8 | >=9.11.0<9.11.10 | 9.11.10 |
| go/github.com/mattermost/mattermost/server/v8 | >=10.4.0<10.4.4 | 10.4.4 |
| go/github.com/mattermost/mattermost/server/v8 | >=10.5.0<10.5.2 | 10.5.2 |
Remedy
Update Mattermost to versions 10.6.0, 10.5.2, 10.4.4, 9.11.10 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://mattermost.com/security-updates
- https://nvd.nist.gov/vuln/detail/CVE-2025-27571
- https://github.com/mattermost/mattermost/commit/341186355d982ac4cbe37668d7cdb0cf6275fe44
- https://github.com/mattermost/mattermost/commit/629f68a85dd6ed5ba0c51a9356c3a3200f50657f
- https://github.com/mattermost/mattermost/commit/8e82d8df61068fc56b0f3e51ef1cc947bc87cec1
- https://github.com/mattermost/mattermost/commit/ae8a952bcaaa5f77a92043e2538f625eac72e927
- https://github.com/mattermost/mattermost/commit/c6f6b664811795f36b9cf05b0e2b537c44c65bc1
- https://pkg.go.dev/vuln/GO-2025-3619
- https://github.com/advisories/GHSA-h4rr-f37j-4hh7 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-27571?
CVE-2025-27571 has been rated as a medium severity vulnerability due to its impact on data exposure in archived channels.
How do I fix CVE-2025-27571?
To fix CVE-2025-27571, upgrade Mattermost to version 10.5.2 or later, 10.4.4 or later, or 9.11.10 or later.
What versions of Mattermost are affected by CVE-2025-27571?
CVE-2025-27571 affects Mattermost versions 10.5.x up to and including 10.5.1, 10.4.x up to and including 10.4.3, and 9.11.x up to and including 9.11.9.
What types of users are affected by CVE-2025-27571?
Authenticated users on affected Mattermost versions can access the metadata of archived channels, breaching the intended access restrictions.
Is there a workaround for CVE-2025-27571?
Though upgrading is recommended, a temporary workaround is to disable the viewing of archived channels in the Mattermost settings until patched.
- agent/remedy
- agent/title
- agent/description
- agent/type
- agent/weakness
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/author
- agent/severity
- collector/nvd-api
- source/NVD
- agent/source
- agent/softwarecombine
- collector/nvd-cve
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-h4rr-f37j-4hh7
- alias/CVE-2025-27571
- agent/event
- agent/tags
- collector/github-advisory
- vendor/mattermost
- canonical/mattermost
- package-manager/go