CVE-2025-14350
- Source
- https://cve.org/CVERecord?id=CVE-2025-14350
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14350.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-14350
- Aliases
-
- GHSA-57cc-2pf4-mhmx
- GO-2026-4521
- Downstream
- Related
- Published
- 2026-02-16T13:15:59.953Z
- Modified
- 2026-03-04T22:28:58.009167Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563
- References
Affected packages
Git / github.com/mattermost/mattermost-server
Affected versions
@mattermost/client@10.*
@mattermost/client@10.11.0
@mattermost/client@11.*
@mattermost/client@11.1.0
@mattermost/types@10.*
@mattermost/types@10.11.0
@mattermost/types@11.*
@mattermost/types@11.1.0
mattermost-redux@10.*
mattermost-redux@10.11.0
mattermost-redux@11.*
mattermost-redux@11.1.0
v10.*
v10.11.0
v10.11.0-rc3
v10.11.1
v10.11.1-rc1
v10.11.2
v10.11.2-rc1
v10.11.2-rc2
v10.11.3
v10.11.4
v10.11.4-rc1
v10.11.4-rc2
v10.11.4-rc3
v10.11.5
v10.11.6
v10.11.7
v10.11.8
v10.11.9
v10.11.9-rc1
v11.*
v11.1.0
v11.1.0-rc4
v11.1.1
v11.1.1-rc1
v11.1.1-rc2
v11.1.2
v11.1.2-rc1
v11.2.0
v11.2.1
v11.2.1-rc1