CVE-2025-11777
- Source
- https://cve.org/CVERecord?id=CVE-2025-11777
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11777.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-11777
- Aliases
- Downstream
- Related
- Published
- 2025-11-13T18:15:49.393Z
- Modified
- 2026-03-23T05:09:58.906804596Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint
- References
Affected packages
Git / github.com/mattermost/mattermost-server
Affected versions
@mattermost/client@10.*
@mattermost/client@10.11.0
@mattermost/client@10.5.0
@mattermost/types@10.*
@mattermost/types@10.11.0
@mattermost/types@10.5.0
mattermost-redux@10.*
mattermost-redux@10.11.0
v10.*
v10.11.0
v10.11.0-rc3
v10.11.1
v10.11.1-rc1
v10.11.2
v10.11.2-rc1
v10.11.2-rc2
v10.11.3
v10.11.4-rc1
v10.11.4-rc2
v10.5.0
v10.5.0-rc6
v10.5.1
v10.5.1-rc1
v10.5.1-rc2
v10.5.10
v10.5.10-rc1
v10.5.10-rc2
v10.5.11
v10.5.11-rc1
v10.5.12-rc1
v10.5.2
v10.5.3
v10.5.3-rc1
v10.5.4
v10.5.4-rc1
v10.5.4-rc2
v10.5.5
v10.5.5-rc1
v10.5.6
v10.5.6-rc1
v10.5.7
v10.5.8
v10.5.8-rc1
v10.5.9
v10.5.9-rc1
v10.5.9-rc2
v10.5.9-rc3
v10.5.9-rc4