CVE-2025-27571: 
Chainguard vulnerability analysis and mitigation

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, and 9.11.x <= 9.11.9 contain an authorization vulnerability where the system fails to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of posts from archived channels. This vulnerability was disclosed on April 16, 2025, and is tracked as CVE-2025-27571 (NVD).

The vulnerability is classified as an incorrect authorization issue (CWE-863) with a CVSS v3.1 base score of 4.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). The vulnerability allows authenticated users to bypass the channel archival viewing restrictions and access metadata information from archived channels, even when the "Allow Users to View Archived Channels" setting is disabled (NVD).

When exploited, this vulnerability allows authenticated users to access channel metadata information from archived channels, bypassing intended access restrictions. This could potentially expose sensitive information contained in the metadata of archived channels (NVD).

Organizations should upgrade to Mattermost versions 10.5.2, 10.4.4, or 9.11.10 or later to address this vulnerability. These versions include the necessary fixes to properly enforce the "Allow Users to View Archived Channels" configuration (CERT-FR).