Low severityNVD Advisory· Published May 30, 2025· Updated May 30, 2025
Improper Access Control in Mattermost allows System Managers to view team details despite role restrictions
CVE-2025-3611
Description
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 10.6.0-rc1, < 10.7.1 | 10.7.1 |
github.com/mattermost/mattermost/server/v8Go | >= 10.0.0-rc1, < 10.5.4 | 10.5.4 |
github.com/mattermost/mattermost/server/v8Go | >= 9.0.0-rc1, < 9.11.13 | 9.11.13 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250414154356-6f33b721de76 | 8.0.0-20250414154356-6f33b721de76 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/mattermost-10.6pkg:apk/chainguard/mattermost-10.6-compatpkg:apk/chainguard/mattermost-fips-10.6pkg:apk/chainguard/mattermost-fips-10.6-compatpkg:apk/wolfi/mattermost-10.6pkg:apk/wolfi/mattermost-10.6-compatpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0+ 7 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 10.6.0-rc1, < 10.7.1
- (no CPE)range: < 0.0.20250612T141001-1.1
- Range: 10.7.0
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.