Moderate severityNVD Advisory· Published Jun 20, 2025· Updated Jun 23, 2025
Unauthorized channel member management through playbook runs
CVE-2025-3227
Description
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | < 0.0.0-20250520060012-d0380305ef7a | 0.0.0-20250520060012-d0380305ef7a |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250520060012-d0380305ef7a | 8.0.0-20250520060012-d0380305ef7a |
github.com/mattermost/mattermost/server/v8Go | >= 10.5.0, < 10.5.6 | 10.5.6 |
github.com/mattermost/mattermost/server/v8Go | >= 9.11.0, < 9.11.16 | 9.11.16 |
github.com/mattermost/mattermost/server/v8Go | >= 10.8.0, < 10.8.1 | 10.8.1 |
github.com/mattermost/mattermost/server/v8Go | >= 10.7.0, < 10.7.3 | 10.7.3 |
github.com/mattermost/mattermost/server/v8Go | >= 10.6.0, < 10.6.6 | 10.6.6 |
Affected products
1- Range: 10.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-qwwm-c582-82rxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-3227ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.