CVE-2025-3611

Summary

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.7.0affected
MattermostMattermost10.5.0 <= 10.5.3affected
MattermostMattermost9.11.0 <= 9.11.12affected
MattermostMattermost10.8.0unaffected
MattermostMattermost10.7.1unaffected
MattermostMattermost10.5.4unaffected
MattermostMattermost9.11.13unaffected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References