CVE-2025-41410

Summary

Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.10.0 <= 10.10.2affected
MattermostMattermost10.5.0 <= 10.5.10affected
MattermostMattermost10.11.0 <= 10.11.2affected
MattermostMattermost10.12.0unaffected
MattermostMattermost10.10.3unaffected
MattermostMattermost10.5.11unaffected
MattermostMattermost10.11.3unaffected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References