CVE-2025-24839: 
Chainguard vulnerability analysis and mitigation

Mattermost Server versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, and 9.11.x <= 9.11.9 are affected by a security vulnerability identified as CVE-2025-24839. The vulnerability was discovered and disclosed on April 16, 2025 (NVD).

The vulnerability allows unauthorized access to AI bot functionality through the Wrangler plugin. Specifically, users without proper access to the AI bot can trigger AI responses by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled. The vulnerability has been assigned a CVSS v3.1 Base Score of 3.1 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N. This indicates a network-accessible vulnerability requiring high attack complexity with low privileges required (NVD).

The vulnerability impacts the authorization controls of the AI bot functionality, potentially allowing unauthorized users to interact with and trigger AI responses when they should not have such access. This represents an incorrect authorization issue, classified under CWE-863 (NVD).

Users should upgrade to Mattermost Server versions 10.5.2, 10.4.4, or 9.11.10 or later, depending on their current version track. These versions contain the necessary security fixes to address the vulnerability (CERT-FR).