In Mattermost versions 9.11.x up to and including 9.11.8 a low severity vulnerability CVE-2025-24866 was detected. This vulnerability allows users with delegated granular administration roles, who lack Compliance Monitoring access, to retrieve User Activity Logs via the /api/v4/audits endpoint. To address this issue, users should upgrade Mattermost to versions 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24866.
Mattermost: Improper Access Control on Audit Endpoint
by the Hossted team
14.04.2025
14.04.2025