VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 14, 2025· Updated Apr 14, 2025

Syatem admin profile modification by delegated granular administration role

CVE-2025-32093

Description

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost-serverGo
>= 10.5.0, < 10.5.210.5.2
github.com/mattermost/mattermost-serverGo
>= 10.4.0, < 10.4.410.4.4
github.com/mattermost/mattermost-serverGo
>= 9.11.0, < 9.11.109.11.10
github.com/mattermost/mattermost/server/v8Go
>= 10.5.0, < 10.5.210.5.2
github.com/mattermost/mattermost/server/v8Go
>= 10.4.0, < 10.4.410.4.4
github.com/mattermost/mattermost/server/v8Go
>= 9.11.0, < 9.11.109.11.10
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20250227102013-aa4623a931998.0.0-20250227102013-aa4623a93199

Affected products

1

Patches

1
aa4623a93199

[MM-62687] Patch permission check to avoid modifying the system admin (#30292) (#30353)

https://github.com/mattermost/mattermostMattermost BuildFeb 27, 2025via ghsa
commit
3 files changed · +22 4
  • server/channels/api4/user_test.go+8 0 modified
    @@ -4255,6 +4255,14 @@ func TestSetDefaultProfileImage(t *testing.T) {
 	_, err = th.SystemAdminClient.SetDefaultProfileImage(context.Background(), user.Id)
 	require.NoError(t, err)
 
+	// Check that a system admin can set the default profile image for another system admin
+	anotherAdmin := th.CreateUser()
+	_, appErr := th.App.UpdateUserRoles(th.Context, anotherAdmin.Id, model.SystemAdminRoleId+" "+model.SystemUserRoleId, false)
+	require.Nil(t, appErr)
+
+	_, err = th.SystemAdminClient.SetDefaultProfileImage(context.Background(), anotherAdmin.Id)
+	require.NoError(t, err)
+
 	ruser, appErr := th.App.GetUser(user.Id)
 	require.Nil(t, appErr)
 	assert.Less(t, ruser.LastPictureUpdate, iuser.LastPictureUpdate, "LastPictureUpdate should be updated to a lower negative number")
  • server/channels/app/authorization.go+13 4 modified
    @@ -202,19 +202,28 @@ func (a *App) SessionHasPermissionToUser(session model.Session, userID string) b
 	if userID == "" {
 		return false
 	}
-	if session.IsUnrestricted() {
+	if session.IsUnrestricted() || a.SessionHasPermissionTo(session, model.PermissionManageSystem) {
 		return true
 	}
 
 	if session.UserId == userID {
 		return true
 	}
 
-	if a.SessionHasPermissionTo(session, model.PermissionEditOtherUsers) {
-		return true
+	if !a.SessionHasPermissionTo(session, model.PermissionEditOtherUsers) {
+		return false
 	}
 
-	return false
+	user, err := a.GetUser(userID)
+	if err != nil {
+		return false
+	}
+
+	if user.IsSystemAdmin() {
+		return false
+	}
+
+	return true
 }
 
 func (a *App) SessionHasPermissionToUserOrBot(rctx request.CTX, session model.Session, userID string) bool {
  • server/channels/app/authorization_test.go+1 0 modified
    @@ -382,6 +382,7 @@ func TestSessionHasPermissionToUser(t *testing.T) {
 
 		th.AddPermissionToRole(model.PermissionEditOtherUsers.Id, model.SystemUserManagerRoleId)
 		assert.True(t, th.App.SessionHasPermissionToUser(session, th.BasicUser2.Id))
+		assert.False(t, th.App.SessionHasPermissionToUser(session, th.SystemAdminUser.Id))
 		th.RemovePermissionFromRole(model.PermissionEditOtherUsers.Id, model.SystemUserManagerRoleId)
 
 		bot, err := th.App.CreateBot(th.Context, &model.Bot{

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.