Mattermost platforms in certain 10.x and 11.x releases allow authenticated guest users to retrieve group member IDs without applying the intended view restrictions, enabling the enumeration of internal user identifiers that guests should not see. The disclosed IDs are sensitive internal data, and their exposure can facilitate credential guessing or social engineering, representing an information‑disclosure risk. This weakness corresponds to an authorization bypass involving user‑controlled keys, as specified by CWE‑863.

Mattermost servers running version 10.11.x up to 10.11.10, 11.2.x up to 11.2.2, 11.3.x up to 11.3.1, and 11.4.x up to 11.4.0 are affected. Versions 11.5.0, 11.2.3, 10.11.11, 11.4.1, 11.3.2, or later are not vulnerable.

The CVSS medium score of 4.3 indicates moderate severity, while an EPSS probability below 1 % suggests low but possible exploitation. The vulnerability is not listed in CISA's KEV catalog. Attackers must first be authenticated as a guest, which is often trivial for legitimate guests, and then access the group retrieval endpoint to enumerate IDs. This combination of moderate impact and low exploitation likelihood means the risk is present but not critical; however, remediation is recommended to eliminate data leakage.