<!doctype html>

<html lang="en"><head><meta charset="utf-8">

<meta name="viewport" content="width=device-width, initial-scale=1.0">

<title>Missing Channel-Level Authorization in Shared Channel Invite/Uninvite API Allows Private Channel Data Exfiltration | Zion Boggan</title>

<meta name="description" content="Mattermost shared-channel invite endpoint enforces system-level perms but not channel-level. Same bug class as CVE-2025-11777.">

<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">

<style>

  :root{

    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;

    --line:#222936; --line2:#2c3543;

    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;

    --accent:#6cc7b8; --accent-dim:#274b47;

    --maxw:1020px;

  }

  *{box-sizing:border-box;}

  html{scroll-behavior:smooth;}

  body{margin:0;background:var(--bg);color:var(--ink);

    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;

    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}

  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}

  a{color:var(--accent);text-decoration:none;}

  a:hover{color:#8fe0d2;}

  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}

  /* nav */

  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);

    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}

  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}

  nav .brand{font-weight:600;letter-spacing:.2px;}

  nav .brand .dot{color:var(--accent);}

  nav .links{display:flex;gap:26px;font-size:13.5px;}

  nav .links a{color:var(--muted);}

  nav .links a:hover{color:var(--ink);}

  @media(max-width:680px){nav .links{display:none;}}

  /* hero */

  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);

    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}

  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);

    display:flex;align-items:center;gap:9px;margin-bottom:20px;}

  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);

    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}

  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}

  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}

  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}

  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}

  .hero .lede b{color:var(--ink);font-weight:600;}

  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}

  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;

    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}

  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}

  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}

  .btn.primary:hover{background:#8fe0d2;color:#06231f;}

  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}

  .meta .mono{color:var(--faint);}

  /* sections */

  section{padding:64px 0;border-bottom:1px solid var(--line);}

  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}

  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}

  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}

  .shead .rule{flex:1;height:1px;background:var(--line);}

  /* flagship */

  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);

    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}

  .flag .top{padding:30px 32px 8px;}

  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}

  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}

  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}

  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}

  .flag p{color:var(--soft);margin:0 0 16px;}

  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}

  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}

  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}

  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}

  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}

  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}

  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}

  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}

  .spec li:first-child{border-top:none;}

  .spec li span{color:var(--muted);}

  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}

  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}

  /* lab cards */

  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}

  @media(max-width:680px){.cards{grid-template-columns:1fr;}}

  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);

    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}

  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}

  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}

  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}

  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}

  .card h3{margin:0 0 9px;font-size:17px;}

  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}

  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}

  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);

    border-radius:5px;padding:3px 8px;}

  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}

  .card .lnk::after{content:" →";}

  /* research */

  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}

  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}

  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;

    padding:18px 22px;border-top:1px solid var(--line);}

  .ritem:first-child{border-top:none;}

  .ritem:hover{background:var(--panel);}

  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}

  .ritem h3{margin:0 0 3px;font-size:16px;}

  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}

  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}

  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}

  .progs{margin-top:22px;}

  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}

  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}

  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);

    border-radius:6px;padding:4px 10px;}

  /* credentials */

  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}

  @media(max-width:680px){.cred{grid-template-columns:1fr;}}

  .cred p{color:var(--soft);margin:0 0 14px;}

  .cred .role{font-size:14px;color:var(--muted);}

  .cred .role b{color:var(--ink);font-weight:600;}

  .certs{list-style:none;margin:0;padding:0;}

  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);

    display:flex;gap:10px;align-items:baseline;}

  .certs li:first-child{border-top:none;}

  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}

  footer{padding:46px 0 64px;}

  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}

  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}

  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}

  .detail-hero{padding:40px 0 26px;}

  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:20px;font-family:ui-monospace,Menlo,monospace;}

  .back:hover{color:var(--ink);}

  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}

  .detail-hero h1{font-size:clamp(26px,4.6vw,38px);margin:0 0 12px;letter-spacing:-.5px;}

  .detail-hero .tagline{font-size:clamp(15px,2vw,18px);color:var(--soft);max-width:800px;margin:0 0 16px;}

  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(150px,1fr));gap:12px;margin-top:22px;}

  .content{padding:8px 0 0;max-width:840px;}

  .content h1{font-size:24px;margin:40px 0 14px;letter-spacing:-.4px;color:var(--ink);}

  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:42px 0 15px;font-weight:600;border-top:1px solid var(--line);padding-top:28px;}

  .content h3{font-size:17px;margin:28px 0 10px;color:var(--ink);font-weight:600;}

  .content h4{font-size:14px;margin:22px 0 8px;color:var(--soft);font-weight:600;text-transform:uppercase;letter-spacing:.5px;}

  .content p{color:var(--soft);margin:0 0 15px;}

  .content ul,.content ol{color:var(--soft);margin:0 0 15px;padding-left:22px;}

  .content li{margin:5px 0;}

  .content strong{color:var(--ink);font-weight:600;}

  .content a{color:var(--accent);}

  .content code{font-family:ui-monospace,Menlo,monospace;font-size:12.8px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}

  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}

  .content pre code{background:none;border:none;padding:0;font-size:12.4px;color:var(--soft);line-height:1.6;white-space:pre;}

  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.3px;}

  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}

  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}

  .content blockquote{border-left:3px solid var(--accent-dim);margin:0 0 16px;padding:2px 0 2px 18px;color:var(--muted);}

  .content hr{border:none;border-top:1px solid var(--line);margin:30px 0;}

  /* notebook index */

  .nbgroup{margin:40px 0 0;}

  .nbgroup h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin:0 0 4px;font-weight:600;}

  .nbgroup .gd{color:var(--faint);font-size:13px;margin:0 0 14px;}

  .nbtable{width:100%;border-collapse:collapse;font-size:14px;border:1px solid var(--line);border-radius:12px;overflow:hidden;}

  .nbtable tr{border-top:1px solid var(--line);}

  .nbtable tr:first-child{border-top:none;}

  .nbtable tr:hover{background:var(--panel);}

  .nbtable td{padding:14px 16px;vertical-align:top;}

  .nbtable .cls{white-space:nowrap;color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:11.5px;text-transform:uppercase;letter-spacing:.5px;width:150px;}

  .nbtable .ti a{font-weight:600;color:var(--ink);}

  .nbtable .ti a:hover{color:var(--accent);}

  .nbtable .ol{color:var(--muted);font-size:13px;margin-top:3px;}

  @media(max-width:680px){.nbtable .cls{width:auto;display:block;}}

</style>

<link rel="canonical" href="https://zionboggan.com/security-research-notebook/mattermost-shared-channel-authz-bypass/">

<meta name="author" content="Zion Boggan">

<meta name="robots" content="index, follow, max-image-preview:large">

<meta property="og:type" content="article">

<meta property="og:site_name" content="Zion Boggan">

<meta property="og:title" content="Missing Channel-Level Authorization in Shared Channel Invite/Uninvite API Allows Private Channel Data Exfiltration | Zion Boggan">

<meta property="og:description" content="Mattermost shared-channel invite endpoint enforces system-level perms but not channel-level. Same bug class as CVE-2025-11777.">

<meta property="og:url" content="https://zionboggan.com/security-research-notebook/mattermost-shared-channel-authz-bypass/">

<meta property="og:image" content="https://zionboggan.com/assets/og-default.png">

<meta name="twitter:card" content="summary_large_image">

<meta name="twitter:title" content="Missing Channel-Level Authorization in Shared Channel Invite/Uninvite API Allows Private Channel Data Exfiltration | Zion Boggan">

<meta name="twitter:description" content="Mattermost shared-channel invite endpoint enforces system-level perms but not channel-level. Same bug class as CVE-2025-11777.">

<meta name="twitter:image" content="https://zionboggan.com/assets/og-default.png">

<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"Missing Channel-Level Authorization in Shared Channel Invite/Uninvite API Allows Private Channel Data Exfiltration","description":"Mattermost shared-channel invite endpoint enforces system-level perms but not channel-level. Same bug class as CVE-2025-11777.","url":"https://zionboggan.com/security-research-notebook/mattermost-shared-channel-authz-bypass/","image":"https://zionboggan.com/assets/og-default.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>

</head><body>

<nav><div class="wrap">

  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>

  <span class="links"><a href="/#oversight">Oversight</a><a href="/#labs">Labs</a><a href="/#research">Research</a><a href="/security-research-notebook/">Notebook</a><a href="/">Home</a></span>

</div></nav>

<header class="hero detail-hero"><div class="wrap">

  <a class="back" href="/security-research-notebook/">&larr; Research notebook</a>

  <div class="kicker">Authz bypass</div>

  <h1>Missing Channel-Level Authorization in Shared Channel Invite/Uninvite API Allows Private Channel Data Exfiltration</h1>

</div></header>

<section><div class="wrap"><div class="content">

<p><strong>Severity:</strong> High

<strong>CVSS Score:</strong> 7.7

<strong>CWE:</strong> CWE-862

<strong>Type:</strong> Broken Access Control (Authorization Bypass)

<strong>URL:</strong> <code>POST /api/v4/remotecluster/{remote_id}/channels/{channel_id}/invite</code></p>

<h2>Summary</h2>

<p>The <code>inviteRemoteClusterToChannel</code> and <code>uninviteRemoteClusterToChannel</code> API endpoints in <code>server/channels/api4/shared_channel.go</code> only enforce system-level <code>manage_shared_channels</code> permission via <code>RequirePermissionToManageSharedChannels()</code> (line 153/204). They do <strong>not</strong> verify that the calling user has channel-level access (<code>SessionHasPermissionToChannel</code>) to the target channel.</p>

<p>This allows any user who holds the <code>manage_shared_channels</code> permission (granted via the <code>SharedChannelManager</code> role, which is a non-sysadmin role) to invite a remote cluster to <strong>any private channel on the instance</strong>, including channels they are not a member of and cannot read. Once invited, the remote cluster receives full message synchronization for that channel, effectively exfiltrating all private channel content to an attacker-controlled server.</p>

<p>This is the same bug class as CVE-2025-11777 (authorization scope mismatch), where a system/team-level permission check was used instead of a channel-level check.</p>

<p><strong>Inconsistency proof:</strong> In the same file, <code>getSharedChannelRemotes</code> (line 265) correctly calls <code>SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), c.Params.ChannelId, model.PermissionReadChannel)</code> before returning data. The invite/uninvite endpoints lack this check entirely.</p>

<p><strong>The gap exists across the entire call chain:</strong>

- API layer: <code>api4/shared_channel.go:153</code>, system-level only

- App layer: <code>app/shared_channel.go:113</code>, zero authorization, passthrough

- Plugin API: <code>plugin_api.go:1504</code>, zero authorization, any plugin can invoke

- Service layer: <code>service_api.go:113</code>, zero authorization, will even auto-share a previously unshared channel via <code>shareIfNotShared=true</code></p>

<h2>Reproduction Steps</h2>

<ol>

<li>

<ol>

<li>Deploy Mattermost with shared channels enabled (ExperimentalSettings.EnableSharedChannels=true, EnableRemoteClusterService=true) and at least one registered remote cluster.</li>

</ol>

</li>

<li>

<ol start="2">

<li>As system admin, create a team and a PRIVATE channel. Post confidential data in the private channel.</li>

</ol>

</li>

<li>

<ol start="3">

<li>Create a second user (attacker). Add attacker to the team but NOT to the private channel.</li>

</ol>

</li>

<li>

<ol start="4">

<li>Verify attacker CANNOT read the private channel: GET /api/v4/channels/{private_channel_id}/posts returns HTTP 403.</li>

</ol>

</li>

<li>

<ol start="5">

<li>Grant the attacker the manage_shared_channels permission, either by assigning the SharedChannelManager role or adding the permission to their existing role.</li>

</ol>

</li>

<li>

<ol start="6">

<li>Re-authenticate as the attacker (new session to pick up permissions).</li>

</ol>

</li>

<li>

<ol start="7">

<li>Verify attacker STILL cannot read the private channel: GET /api/v4/channels/{private_channel_id}/posts returns HTTP 403.</li>

</ol>

</li>

<li>

<ol start="8">

<li>As attacker, invite a remote cluster to the private channel: POST /api/v4/remotecluster/{remote_id}/channels/{private_channel_id}/invite</li>

</ol>

</li>

<li>

<ol start="9">

<li>Observe the request does NOT return 403. It either succeeds (200) or fails at a downstream step (400 invalid remote, 501 service not running), proving the channel-level permission check is missing.</li>

</ol>

</li>

<li>

<ol start="10">

<li>If a valid remote cluster ID is used: the private channel becomes shared and its messages sync to the remote cluster, exfiltrating confidential data.</li>

</ol>

</li>

</ol>

<pre><code class="language-bash">curl -X POST &quot;https://TARGET/api/v4/remotecluster/REMOTE_CLUSTER_ID/channels/PRIVATE_CHANNEL_ID/invite&quot; \

  -H "Authorization: Bearer SHARED_CHANNEL_MANAGER_TOKEN" \

  -H "Content-Type: application/json"

</code></pre>

<h2>Evidence</h2>

<pre><code>**Docker verification on mattermost-preview:latest (v11.5.1):**

Differential test - same endpoint, same private channel (created by user2, not accessible to either test user):

</code></pre>

<p>Admin (has manage_shared_channels via system_admin):

  POST /api/v4/remotecluster/aaaabbbb…/channels/{private_channel_id}/invite

  => HTTP 501: “The remote cluster service is not enabled.”

  (PASSED auth check at line 153, reached GetRemoteClusterService at line 159)</p>

<p>Regular user (no manage_shared_channels):

  POST /api/v4/remotecluster/aaaabbbb…/channels/{private_channel_id}/invite

  => HTTP 403: “You do not have the appropriate permissions.”

  (BLOCKED at RequirePermissionToManageSharedChannels at line 153)</p>

<pre><code>

The 501 vs 403 differential proves the **only** authorization gate is the system-level `ManageSharedChannels` permission. No channel-level check (`SessionHasPermissionToChannel`) exists anywhere in the invite flow. On a production instance with the remote cluster service fully configured, the request would proceed to share the private channel.

**Source code proof (GitHub HEAD):**

```go

// api4/shared_channel.go:142 - VULNERABLE

func inviteRemoteClusterToChannel(c *Context, w http.ResponseWriter, r *http.Request) {

    c.RequireRemoteId()

    c.RequireChannelId()

    c.RequirePermissionToManageSharedChannels()  // Line 153: system-level ONLY

    // MISSING: c.App.SessionHasPermissionToChannel(... c.Params.ChannelId, model.PermissionReadChannel)

    ...

    c.App.InviteRemoteToChannel(c.Params.ChannelId, c.Params.RemoteId, ...)  // Line 180

}

// web/context.go:837 - confirms system scope

func (c *Context) RequirePermissionToManageSharedChannels() *Context {

    if !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSharedChannels) {

        c.SetPermissionError(model.PermissionManageSharedChannels)

    }

    return c

}

// api4/shared_channel.go:265 - SECURE (same file, inconsistent)

func getSharedChannelRemotes(c *Context, w http.ResponseWriter, r *http.Request) {

    if ok, _ := c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(),

        c.Params.ChannelId, model.PermissionReadChannel); !ok {

        c.SetPermissionError(model.PermissionReadChannel)  // HAS channel check

        return

    }

}

</code></pre>

<pre><code>

## Impact

**Confidentiality: HIGH** - An attacker with `SharedChannelManager` role (non-sysadmin) can exfiltrate all messages from any private channel on the instance by inviting their controlled remote cluster to it. This includes:

- Private channel message history (full sync)

- File attachments shared in the channel

- User metadata of channel members

- Ongoing real-time message sync

**Integrity: MEDIUM** - The attacker could also uninvite legitimate remotes from shared channels (via the uninvite endpoint with the same missing check), disrupting authorized cross-cluster collaboration.

**Additional attack surface:** The Plugin API (`PluginAPI.InviteRemoteToChannel` at plugin_api.go:1504) performs zero authorization checks. Any installed plugin can share any channel with any remote without any permission validation, extending this vulnerability to plugin-based attacks.

**Scope escalation:** The `shareIfNotShared=true` parameter (passed by the API handler) causes the service layer to auto-share a previously unshared private channel before inviting the remote - silently converting a channel that was never intended to be shared.

## Root Cause

Authorization scope mismatch. The `RequirePermissionToManageSharedChannels()` function (web/context.go:842) calls `SessionHasPermissionTo()` which is a **system-level** permission check. It verifies the user holds the `manage_shared_channels` permission globally, but does not verify the user has any access to the specific channel being shared.

The correct fix requires adding a channel-level check - `SessionHasPermissionToChannel(channelId, PermissionReadChannel)` - before proceeding with the invite, consistent with how `getSharedChannelRemotes` (line 265 in the same file) already checks channel access.

The `ManageSharedChannels` permission is defined with `PermissionScopeSystem` (model/permission.go:836), which is architecturally correct for controlling who can manage shared channels in general. But the invite/uninvite endpoints need an **additional** channel-scoped check to enforce that the user can only share channels they have access to.

## Suggested Fix

Add `SessionHasPermissionToChannel` check in both `inviteRemoteClusterToChannel` and `uninviteRemoteClusterToChannel` handlers, after the existing `RequirePermissionToManageSharedChannels` check:

```go

// api4/shared_channel.go - inviteRemoteClusterToChannel (after line 156)

if ok, _ := c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(),

    c.Params.ChannelId, model.PermissionReadChannel); !ok {

    c.SetPermissionError(model.PermissionReadChannel)

    return

}

</code></pre>

<p>Apply the same fix to:

1. <code>uninviteRemoteClusterToChannel</code> (after line 207)

2. <code>PluginAPI.InviteRemoteToChannel</code> (plugin_api.go:1504), add channel membership validation

3. <code>PluginAPI.UninviteRemoteFromChannel</code> (plugin_api.go:1508), same

4. The <code>/share invite</code> slash command handler (command_share.go), already implicitly scoped to current channel but should be explicitly validated</p>

<hr><p style="color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace">Source &middot; github.com/zionboggan/security-research-notebook &middot; writeups/grafana/mattermost-shared-channel-authz-bypass.md</p>

</div></div></section>

<footer><div class="wrap row">

  <div class="links"><a href="/">Portfolio</a><a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a><a href="/security-research-notebook/">Notebook</a><a href="mailto:zionboggan0@gmail.com">Email</a></div>

  <div class="note">Coordinated-disclosure research. Findings appear here only after the program's disclosure window closed, the patch shipped, or a CVE was published. No customer data was accessed.</div>

</div></footer>

</body></html>