CVE-2024-39837

LOW

Mattermost 9.5.0-9.5.6 and 9.9.0 - Unauthenticated Arbitrary Channel Creation via Shared Channels

Title source: llm

Description

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.

References (1)

Core 1

Core References

Vendor Advisory

https://mattermost.com/security-updates

Scores

CVSS v3 3.8

EPSS 0.0030

EPSS Percentile 53.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (6)

mattermost/mattermost 9.5.0 - 9.5.7Go

mattermost/mattermost-server 0 - 5.3.2-0.20240626164322-c758cecaf30cGo

mattermost/mattermost-server 0 - 6.0.0-20240626164322-c758cecaf30cGo

mattermost/mattermost-server 9.9.0 - 9.9.1Go

mattermost/mattermost_server 9.9.0

mattermost/mattermost_server 9.5.0 - 9.5.7

Published Aug 01, 2024

Tracked Since Feb 18, 2026