Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of.
Fixes

Solution

Update Mattermost to versions 9.11.0, 9.10.2, 9.9.3, 9.5.9 or higher.


Workaround

No workaround given by the vendor.

References
History

Mon, 29 Sep 2025 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00077}

epss

{'score': 0.00083}


Thu, 26 Sep 2024 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 26 Sep 2024 15:15:00 +0000

Type Values Removed Values Added
Description Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of.
Title Insufficient Authorization On Unlinked Channel Files
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2024-09-26T15:17:25.819Z

Reserved: 2024-09-24T15:39:50.114Z

Link: CVE-2024-9155

cve-icon Vulnrichment

Updated: 2024-09-26T15:17:21.835Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-26T15:15:18.060

Modified: 2025-09-29T13:50:51.783

Link: CVE-2024-9155

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T16:01:15Z