Mattermost versions 8.1.x prior to 8.1.9, 9.2.x prior to 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated malicious user to access the contents of individual posts in channels they are not a member of.