CVE-2025-4128: 
vulnerability analysis and mitigation

CVE-2025-4128 is a permission bypass vulnerability discovered in Mattermost versions 10.5.x <= 10.5.4 and 9.11.x <= 9.11.13, disclosed on June 11, 2025. The vulnerability allows guest users to bypass permissions and access unauthorized team information through the Mattermost collaboration platform (NVD, Wiz).

The vulnerability stems from improper API access restrictions to team information, specifically allowing guest users to bypass permissions through a direct API call to /api/v4/teams/{team_id} to view information about public teams they are not members of. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N and is classified as CWE-863 (Incorrect Authorization) (NVD, Wiz).

The vulnerability allows unauthorized access to public team information, potentially exposing sensitive team data to guest users who should not have access to this information. The impact is primarily limited to confidentiality breaches, with no direct effect on system integrity or availability (Wiz).

Users should upgrade to versions newer than Mattermost 10.5.4 or 9.11.13, depending on their installation branch. The vulnerability has been fixed in subsequent releases (Mattermost Security).