CVE-2025-27933 is a security vulnerability found in several old versions of Mattermost—a popular open-source messaging platform frequently used by teams and businesses. Specifically, this bug allows certain users to bypass intended restrictions and convert private channels to public, a serious privacy risk.
9.11.x ≤ 9.11.8
If you’re running one of these versions, you are at risk and should upgrade as soon as possible.
Understanding the Vulnerability
Mattermost channels can be public (anyone can join) or private (invite only). Normally, even with channel conversion permissions, users should NOT be able to change a private channel into a public one—the reverse (public to private) being sometimes allowed for privacy reasons.
However, due to improper enforcement of restrictions, users with the "Convert Public Channel to Private" permission could also convert private channels into public. This could unintentionally expose sensitive discussions to your entire team or organization.
How It Happens
The backend fails to perform a check on the direction of the channel switch. The permission intended for public-to-private is incorrectly applied in both directions.
Exploit Details: How Attackers Can Trigger the Bug
Let's imagine a user named "Alice" is part of a private channel called finance-secrets and has the conversion permission (meant for public-to-private only).
Use Mattermost API or UI
- With the right UI access, she could try to convert the channel via the interface (if it doesn't block the action).
Sample API Request to Convert Private to Public
curl -i -X PATCH -H 'Authorization: Bearer <USER-TOKEN>' \
-H 'Content-Type: application/json' \
-d '{"type":"O"}' \
https://your.mattermost.server/api/v4/channels/<CHANNEL-ID>/patch
Replace <USER-TOKEN> and <CHANNEL-ID> accordingly.
type: "O" turns the channel into a public (open) channel.
- If successful, the channel’s privacy setting is flipped, and all messages become visible to anyone in the team.
Why This Is Dangerous
This is particularly critical when private channels discuss payroll, personal information, business plans, or security issues. One misstep, and sensitive info is exposed to dozens or thousands.
Technical Cause
The backend function handling channel conversion did not properly verify the old and new channel types against the specific permission the user had. It simply checked if permission to "Convert Public Channel to Private" was present, and let users apply conversion in either direction.
A rough pseudocode of the bug might look like this
if user.HasPermission(CONVERT_CHANNEL) {
// channel.Type can be changed to any value
channel.Type = req.body.type
}
It should have instead restricted conversion direction explicitly.
Checking not just for the permission, but also current channel type and requested change.
- Rejecting private-to-public conversions unless user has an explicit (and rarely granted!) permission.
To patch: Upgrade to Mattermost versions 10.4.3, 10.3.4, 9.11.9 or later.
Official Mattermost Announcement
Upgrade Mattermost Immediately: If you are using any version mentioned above, upgrade now.
- Audit Channel Conversion Permissions: Only give the "Convert Public Channel to Private" permission to highly trusted admins.
References & Further Reading
- NIST NVD Record: CVE-2025-27933 _(will update as the record goes public)_
- Mattermost Security Announcements: https://mattermost.com/security-updates/
- Mattermost API Docs: Channel Patch Endpoint
Conclusion
CVE-2025-27933 is a clear example of why permissions need tight checks. If you’re responsible for your company’s Mattermost, don’t delay—update your software, check your permissions, and keep team chats safe and private.
If you have questions or need help with patching, ask in the Mattermost Community Forums.
Have you checked your channel permissions lately? It could make all the difference!
Timeline
Published on: 03/21/2025 09:15:13 UTC
Last modified on: 03/27/2025 14:55:25 UTC