Upstream information
Description
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| CNA (Mattermost) | National Vulnerability Database | |
|---|---|---|
| Base Score | 4.3 | 5.4 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality Impact | None | Low |
| Integrity Impact | Low | Low |
| Availability Impact | None | None |
| CVSSv3 Version | 3.1 | 3.1 |
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2025-15405 |
SUSE Timeline for this CVE
CVE page created: Mon Jun 30 20:00:30 2025CVE page last modified: Tue Aug 5 01:29:53 2025