SecuriTricks - CVE-2025-3611

Description

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.

Product(s) Impacted

Vendor	Product	Versions
Mattermost	Mattermost	10.7., 10.5., 9.11.*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	mattermost	mattermost	10.7.*	/	/	/	/	/	/	/
a	mattermost	mattermost	10.5.*	/	/	/	/	/	/	/
a	mattermost	mattermost	9.11.*	/	/	/	/	/	/	/

References

https://mattermost.com/security-updates

CVSS Score

3.1 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: NONE
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

View Vector String

Timeline

Published: May 30, 2025, 3:15 p.m.
Last Modified: May 30, 2025, 4:31 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

responsibledisclosure@mattermost.com

CVE-2025-3611