CVE-2025-1792: 
vulnerability analysis and mitigation

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, and 9.11.x <= 9.11.12 contain a vulnerability related to access control enforcement for guest users. The vulnerability was discovered and disclosed on May 30, 2025, affecting the Mattermost collaboration platform (NVD).

The vulnerability stems from improper enforcement of access controls for guest users accessing channel member information. This allows authenticated guest users to view metadata about members of public channels through the channel members API endpoint. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with high attack complexity, low privileges required, and low confidentiality impact (NVD, Wiz).

The primary impact of this vulnerability is the potential exposure of member metadata in public channels to guest users who should not have access to this information. The vulnerability affects confidentiality but does not impact system integrity or availability (Wiz).

Organizations should upgrade to versions newer than 10.7.0 for the 10.7.x series, 10.5.3 for the 10.5.x series, or 9.11.12 for the 9.11.x series to address this vulnerability (NVD, Mattermost Security).