CVE-2025-1472: 
vulnerability analysis and mitigation

A vulnerability has been identified in Mattermost versions 9.11.x <= 9.11.8 (CVE-2025-1472) that involves improper authorization of the Viewer role. The vulnerability was disclosed on March 19, 2025, affecting the Mattermost platform's role-based access control system (NVD).

The vulnerability stems from a failure to properly perform authorization checks for users with the Viewer role. Specifically, users configured with No Access to Reporting can still view team and site statistics, bypassing intended access restrictions. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity (NVD).

The primary impact of this vulnerability is the potential exposure of sensitive team and site statistics to users who should not have access to this information. Users with the Viewer role who are explicitly configured with No Access to Reporting can circumvent these restrictions and view statistical data, potentially leading to unauthorized information disclosure (NVD).

Organizations should upgrade to a patched version of Mattermost beyond 9.11.8. The vulnerability has been classified under CWE-863 (Incorrect Authorization), suggesting that proper authorization checks have been implemented in newer versions (NVD).