Moderate severityNVD Advisory· Published May 29, 2025· Updated May 29, 2025
Team Privacy Settings Authorization Bypass in Mattermost Server
CVE-2025-3913
Description
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 10.7.0-rc1, < 10.7.1 | 10.7.1 |
github.com/mattermost/mattermost/server/v8Go | >= 10.6.0-rc1, < 10.6.3 | 10.6.3 |
github.com/mattermost/mattermost/server/v8Go | >= 10.5.0-rc1, < 10.5.4 | 10.5.4 |
github.com/mattermost/mattermost/server/v8Go | >= 9.0.0-rc1, < 9.11.13 | 9.11.13 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250412152950-02c76784380a | 8.0.0-20250412152950-02c76784380a |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
>= 10.7.0-rc1, < 10.7.1+ 1 more
- (no CPE)range: >= 10.7.0-rc1, < 10.7.1
- (no CPE)range: < 0.0.20250612T141001-1.1
- Range: 10.7.0
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.