CVE-2025-11777
Cross-team channel membership accessMattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint
We have discovered 90 live websites that are affected by CVE-2025-11777.
Affected Software
| Product |  Mattermost |
| Category | Message Boards |
| Vulnerable Domains | 90 live websites (23% of Mattermost install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 10 versions ( 14% of all versions) |
Common Weakness Enumeration
CWE-863 Incorrect AuthorizationDetails
- Published - Nov 13, 2025
- Updated - Nov 13, 2025
Credits
- Xiangyu Guo (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-11777 United States | 15 websites |
 Germany | 32 websites |
 France | 11 websites |
 GB | 10 websites |
 Russia | 4 websites |
 Argentina | 2 websites |
 Belgium | 2 websites |
 Czech Republic | 2 websites |
 Turkmenistan | 2 websites |
Website Distribution by TLD
Number of websites using CVE-2025-11777| .com | 18 websites |
| .org | 18 websites |
| .de | 14 websites |
| .fr | 5 websites |
| .ru | 4 websites |
| .net | 3 websites |
| .be | 2 websites |
| .co.uk | 2 websites |
| .ca | 1 websites |
| .co | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-11777
Top websites that are affected by CVE-2025-11777. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.com | Germany | ***,*** | |
| ****.*******.com | GB | ***,*** | |
| ****.*******.org | Germany | *,***,*** | |
| **.*****.re | Germany | *,***,*** | |
| ***********.ru | Russia | *,***,*** | |
| ****.*******.com | Germany | *,***,*** | |
| ****.*********.org | United States | *,***,*** | |
| *************.org | GB | *,***,*** | |
| ****************.de | Germany | *,***,*** | |
| ******.de | Germany | *,***,*** |
FAQ
CVE-2025-11777 is Incorrect Authorization in Mattermost
A total of 90 websites have been identified as vulnerable to CVE-2025-11777, based on global website indexing conducted by WebTechSurvey.
The Mattermost is affected by the CVE-2025-11777 vulnerability.
Mattermost versions up to and including 10.11.3 are vulnerable to CVE-2025-11777.