Auth bypass in Mattermost
CVE-2025-41436
Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
Vulnerability class: Broken Access Control
EPSS: 0.001 (4.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 3.1 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N.
Affected products
- Mattermost — versions <11.0, 11.0.0
- Mattermost Mattermost_server
Weakness classification (CWE)
References
- responsibledisclosure@mattermost.com (Vendor Advisory)
Frequently asked questions
- What is CVE-2025-41436?
- CVE-2025-41436 is a low-severity vulnerability in Mattermost, classified under Incorrect Authorization. CVSS score: 3.1/10. Published 2025-11-14.
- How severe is CVE-2025-41436?
- Low severity. CVSS v3 base score is 3.1 out of 10.