CVE-2025-27933

Summary

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.4.0 <= 10.4.2affected
MattermostMattermost10.3.0 <= 10.3.3affected
MattermostMattermost9.11.0 <= 9.11.8affected
MattermostMattermost10.5.0unaffected
MattermostMattermost10.4.3unaffected
MattermostMattermost10.3.4unaffected
MattermostMattermost9.11.9unaffected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References