CVE-2025-41443: 
vulnerability analysis and mitigation

Mattermost versions 10.5.x <= 10.5.10 and 10.11.x <= 10.11.2 contain a Missing Authorization vulnerability (CVE-2025-41443) that was disclosed on October 16, 2025. The vulnerability affects the Mattermost server software and involves improper validation of guest user permissions when accessing channel information (NVD).

The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 4.3 (Medium). The vulnerability exists in the /api/v4/teams/{team_id}/channels/ids endpoint, where guest users can bypass permission checks to discover active public channels and their metadata. The vulnerability specifically affects the getPublicChannelsByIdsForTeam function in server/channels/api4/channel.go, which failed to properly validate guest user permissions (Miggo).

The vulnerability allows guest users to discover active public channels and their metadata that they should not have access to. This could lead to information disclosure as guest users can enumerate all public channels on the server, even those they are not members of (NVD).

Users should upgrade to Mattermost version 10.5.11 or 10.11.3, depending on their current version track. The patch introduces proper authorization checks to verify that guest users have the PermissionReadChannel permission for each requested channel (NVD).