Low severityNVD Advisory· Published Mar 21, 2025· Updated Mar 21, 2025

Auto-Enrollment of Team Admins into Private Channels without explicit consent

CVE-2025-27715

Description

Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/mattermost/mattermost/server/v8Go	>= 9.11.0, < 9.11.9	9.11.9

Affected products

Mattermost/Mattermostv5
Range: 9.11.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-cw7q-5cgc-h3h9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-27715ghsaADVISORY
mattermost.com/security-updatesghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000