Moderate severityNVD Advisory· Published Jun 20, 2025· Updated Jun 23, 2025
Unauthorized channel member management through playbook runs
CVE-2025-3227
Description
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | < 0.0.0-20250520060012-d0380305ef7a | 0.0.0-20250520060012-d0380305ef7a |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250520060012-d0380305ef7a | 8.0.0-20250520060012-d0380305ef7a |
github.com/mattermost/mattermost/server/v8Go | >= 10.5.0, < 10.5.6 | 10.5.6 |
github.com/mattermost/mattermost/server/v8Go | >= 9.11.0, < 9.11.16 | 9.11.16 |
github.com/mattermost/mattermost/server/v8Go | >= 10.8.0, < 10.8.1 | 10.8.1 |
github.com/mattermost/mattermost/server/v8Go | >= 10.7.0, < 10.7.3 | 10.7.3 |
github.com/mattermost/mattermost/server/v8Go | >= 10.6.0, < 10.6.6 | 10.6.6 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0.0.0-20250520060012-d0380305ef7a+ 2 more
- (no CPE)range: < 0.0.0-20250520060012-d0380305ef7a
- (no CPE)range: < 8.0.0-20250520060012-d0380305ef7a
- (no CPE)range: < 0.0.20250730T213748-1.1
- Range: 10.5.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-qwwm-c582-82rxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-3227ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.