What is the severity of CVE-2025-27933?

CVE-2025-27933 has a medium severity level as it allows improper channel conversion leading to potential data exposure.

How do I fix CVE-2025-27933?

To resolve CVE-2025-27933, upgrade Mattermost to version 10.4.3 or higher, 10.3.4 or higher, or 9.11.9 or higher.

What versions are affected by CVE-2025-27933?

CVE-2025-27933 affects Mattermost versions 10.4.x up to 10.4.2, 10.3.x up to 10.3.3, and 9.11.x up to 9.11.8.

What is the exploit path for CVE-2025-27933?

CVE-2025-27933 can be exploited by users with permissions to convert public channels to private channels, allowing inappropriate conversions.

Is CVE-2025-27933 under active exploitation?

There is currently no public information suggesting that CVE-2025-27933 is under active exploitation.

Vulnerability/
CVE-2025-27933

medium

5.4

CWE

863

EPSS

0.027%

21/3/2025

27/3/2025

CVE-2025-27933: Unauthorized Private-to-Public Channel Conversion

First published: Fri Mar 21 2025(Updated: )

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public

Credit: responsibledisclosure@mattermost.com

Affected Software	Affected Version	How to fix
Mattermost	<=10.4.2<=10.3.3<=9.11.8
go/github.com/mattermost/mattermost/server/v8	<8.0.0-20250218135018-e644e3c8e393	8.0.0-20250218135018-e644e3c8e393
go/github.com/mattermost/mattermost-server	<9.11.9	9.11.9
go/github.com/mattermost/mattermost/server/v8	>=9.11.0<9.11.9	9.11.9
go/github.com/mattermost/mattermost/server/v8	>=10.3.0<10.3.4	10.3.4
go/github.com/mattermost/mattermost/server/v8	>=10.4.0<10.4.3	10.4.3
Mattermost	>=9.11.0<9.11.9
Mattermost	>=10.3.0<10.3.4
Mattermost	>=10.4.0<10.4.3

Remedy

Update Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or higher.

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-27933?
CVE-2025-27933 has a medium severity level as it allows improper channel conversion leading to potential data exposure.
How do I fix CVE-2025-27933?
To resolve CVE-2025-27933, upgrade Mattermost to version 10.4.3 or higher, 10.3.4 or higher, or 9.11.9 or higher.
What versions are affected by CVE-2025-27933?
CVE-2025-27933 affects Mattermost versions 10.4.x up to 10.4.2, 10.3.x up to 10.3.3, and 9.11.x up to 9.11.8.
What is the exploit path for CVE-2025-27933?
CVE-2025-27933 can be exploited by users with permissions to convert public channels to private channels, allowing inappropriate conversions.
Is CVE-2025-27933 under active exploitation?
There is currently no public information suggesting that CVE-2025-27933 is under active exploitation.

agent/title
agent/weakness
agent/remedy
agent/type
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
agent/author
collector/github-advisory-latest
source/GitHub
alias/GHSA-h5v9-xw2g-7hrq
alias/CVE-2025-27933
agent/references
agent/source
agent/description
collector/mitre-cve
source/MITRE
agent/severity
agent/last-modified-date
collector/nvd-api
source/NVD
agent/tags
agent/softwarecombine
collector/nvd-cve
agent/event
collector/epss-latest
source/FIRST
agent/epss
collector/github-advisory
vendor/mattermost
canonical/mattermost
package-manager/go
version/mattermost/9.11.0
version/mattermost/10.3.0
version/mattermost/10.4.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.