Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.
Fixes

Solution

Update Mattermost to versions 10.6.0, 10.5.2, 10.4.4, 9.11.10 or higher.


Workaround

No workaround given by the vendor.

References
History

Mon, 29 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Thu, 17 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 16 Apr 2025 16:30:00 +0000

Type Values Removed Values Added
Description Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.
Title Unauthorized View Access to Archived Channel Member Info
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2025-04-17T19:41:45.158Z

Reserved: 2025-03-20T15:06:29.971Z

Link: CVE-2025-2564

cve-icon Vulnrichment

Updated: 2025-04-16T18:05:44.065Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-16T17:15:49.717

Modified: 2025-09-29T21:13:11.830

Link: CVE-2025-2564

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-13T11:06:56Z