Technical description
Mattermost versions 11.5.x up to and including 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites. This allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to by sending a crafted request to the post rewrite endpoint.
Attack vector
An authenticated attacker can submit a message rewrite request to the AI-assisted rewrite endpoint for messages in private channels or direct messages outside their authorized scope. Because the endpoint does not validate that the requesting user has membership in the target channel, the AI rewrite response includes the content of the unauthorized message, effectively leaking private communications.
Affected systems
Mattermost Team Edition and Enterprise Edition versions 11.5.0 through 11.5.1 with the AI-assisted message rewrite feature enabled. Mattermost is a widely-deployed open-source team collaboration platform used in enterprise and government environments.
Mitigation
Upgrade to Mattermost version 11.5.2 or later, which adds channel membership validation to the AI rewrite endpoint. Organizations unable to upgrade immediately should disable the AI-assisted message rewrite feature or restrict its availability to trusted users only. Review access logs for unexpected POST requests to `/api/v4/posts/*/rewrite` endpoints and audit whether any unauthorized users accessed private channel content.