CVE-2025-14660 identifies an improper access control vulnerability in DecoCMS Mesh, specifically in the createTool function within the Workspace Domain Handler component (file packages/sdk/src/mcp/teams/api.ts). This vulnerability arises from insufficient validation or enforcement of permissions on the domain argument passed to createTool, enabling remote attackers to manipulate this parameter and bypass intended access restrictions. The flaw affects all versions up to 1.0.0-alpha.31. The attack vector is network-based with no authentication or user interaction required, but the attack complexity is rated high due to the need for precise manipulation and understanding of the system's internal domain handling. The vulnerability impacts confidentiality, integrity, and availability at a low level, as unauthorized access could lead to limited unauthorized actions within the workspace domain context. The vendor has addressed the issue in version 1.0.0-alpha.32, and a patch is available. Although an exploit has been published, there are no confirmed reports of active exploitation in the wild. The vulnerability is tracked with a CVSS 4.0 base score of 6.3, reflecting medium severity, with network attack vector, high complexity, no privileges or user interaction required, and low impact on confidentiality, integrity, and availability.

For European organizations deploying DecoCMS Mesh, this vulnerability poses a risk of unauthorized access to workspace domain functionalities, potentially allowing attackers to create or manipulate tools or resources within the affected component. While the impact on confidentiality, integrity, and availability is low, unauthorized access could lead to data exposure or manipulation within the CMS environment, disrupting business operations or compromising sensitive content. Given the remote attack vector and lack of required authentication, organizations with externally accessible DecoCMS Mesh instances are at higher risk. The high complexity of exploitation reduces the likelihood of widespread attacks, but targeted attacks against organizations using this CMS are plausible. The presence of a published exploit increases the urgency for patching. Failure to address this vulnerability could result in compliance issues with European data protection regulations if sensitive data is exposed or integrity is compromised.

European organizations should immediately upgrade DecoCMS Mesh to version 1.0.0-alpha.32 or later to remediate the vulnerability. Network-level protections such as restricting access to DecoCMS Mesh management interfaces to trusted IP ranges or VPNs can reduce exposure. Implement strict monitoring and logging of workspace domain activities to detect anomalous behavior indicative of exploitation attempts. Conduct regular security assessments and code reviews of custom CMS integrations to identify similar access control weaknesses. Employ web application firewalls (WAFs) with rules tailored to detect and block suspicious API calls targeting the createTool function or related endpoints. Educate development and operations teams about the importance of access control validation in CMS components. Finally, maintain an up-to-date inventory of DecoCMS Mesh deployments across the organization to ensure timely patch management.