CVE-2025-24920 in Mattermost
Summary
by MITRE • 03/21/2025
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2025
This vulnerability affects Mattermost server versions across multiple release branches including 10.4.x up to 10.4.2, 10.3.x up to 10.3.3, 9.11.x up to 9.11.8, and 10.5.x up to 10.5.0. The flaw represents a critical access control weakness that undermines the intended security boundaries of archived channels within the platform. The issue stems from insufficient validation mechanisms that should prevent users from interacting with archived channels while maintaining the ability to create or modify bookmarks in these restricted areas.
The technical implementation of this vulnerability demonstrates a failure in the platform's permission model where the system does not properly enforce channel archival status during bookmark operations. When users attempt to create or update bookmarks in archived channels, the system should reject these actions based on the archived state of the channel. However, the current implementation allows authenticated users to bypass these restrictions, creating a scenario where users can manipulate content within channels that should be effectively closed to further interaction.
From an operational perspective, this vulnerability poses significant risks to data integrity and access control within Mattermost environments. An authenticated attacker with access to archived channels could potentially maintain persistent references to archived content, creating misleading bookmarks that might be used for social engineering or information gathering attacks. The impact extends beyond simple bookmark manipulation as it represents a broader failure in channel state management that could potentially enable other unauthorized actions within archived contexts. This weakness directly violates the principle of least privilege and could be exploited to maintain access to sensitive information that should be permanently restricted.
The vulnerability maps to CWE-668, which specifically addresses "Exposure of Resource to Wrong Sphere," indicating that the system is exposing channel bookmark functionality to users who should not have access to archived channels. From an attack framework perspective, this issue aligns with ATT&CK technique T1078.004, "Valid Accounts: Cloud Accounts," as it exploits legitimate user credentials to perform unauthorized actions within restricted contexts. The flaw also relates to T1566.001, "Phishing: Spearphishing Attachment," if attackers use the bookmark functionality to maintain persistent access to archived information that could be leveraged in subsequent attacks. Organizations should immediately implement mitigations including immediate version updates to patched releases, manual verification of archived channel restrictions, and monitoring for unauthorized bookmark creation activities within archived channels.
Security teams should prioritize this vulnerability as it represents a fundamental breakdown in the platform's access control mechanisms. The recommended remediation includes upgrading to the latest stable versions that contain the necessary patches to enforce proper channel state restrictions. Additionally, administrators should conduct thorough audits of existing bookmarks in archived channels to identify any potentially malicious or unauthorized entries. The vulnerability demonstrates the importance of comprehensive testing of access control mechanisms, particularly those involving stateful operations like channel archival and bookmark management. Organizations should also consider implementing additional monitoring controls to detect suspicious bookmark creation patterns within archived channels, as these activities may indicate attempts to exploit the vulnerability or maintain unauthorized access to restricted information.