CVE-2025-27715

Summary

Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost9.11.0 <= 9.11.8affected
MattermostMattermost10.5.0unaffected
MattermostMattermost9.11.9unaffected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References