CVE-2025-27571— Channel metadata visible in archived channels despite configuration setting

CVSS 4.3 · Medium EPSS 0.18% · P40 Updated Apr 17, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-27571

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Channel metadata visible in archived channels despite configuration setting

Source: NVD (National Vulnerability Database)

Vulnerability Description

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

授权机制不正确

Source: NVD (National Vulnerability Database)

Vulnerability Title

Mattermost 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Mattermost是美国Mattermost公司的一个开源协作平台。 Mattermost 10.5.1及之前版本、10.4.3及之前版本和9.11.9及之前版本存在安全漏洞，该漏洞源于归档频道元数据检查不充分，可能导致信息泄露。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Mattermost	Mattermost	10.5.0 ~ 10.5.1	-

II. Public POCs for CVE-2025-27571

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-27571

请登录查看更多情报信息。

https://nvd.nist.gov/vuln/detail/CVE-2025-27571

Same Patch Batch · Mattermost · 2025-04-16 · 6 CVEs total

CVE-2025-27936	5.3 MEDIUM	Webhook Secret Exposure via Timing attack in MSteams plugin
CVE-2025-2564	4.3 MEDIUM	Unauthorized View Access to Archived Channel Member Info
CVE-2025-24839	3.1 LOW	Unauthorized AI bot activation via Wrangler plugin
CVE-2025-31363	3.0 LOW	Data exfiltration via AI plugin Jira tool
CVE-2025-27538	2.2 LOW	MFA Enforcement Bypass Allows Unauthorized Removal of MFA for Other Users

IV. Related Vulnerabilities

Same product: Mattermost

Same vendor: Mattermost

Same weakness: CWE-863

V. Comments for CVE-2025-27571

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-27571— Channel metadata visible in archived channels despite configuration setting

I. Basic Information for CVE-2025-27571

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-27571

III. Intelligence Information for CVE-2025-27571

Same Patch Batch · Mattermost · 2025-04-16 · 6 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2025-27571

Leave a comment