Skip to main content

CVE-2025-3446: CWE-863: Incorrect Authorization in Mattermost Mattermost

Medium
VulnerabilityCVE-2025-3446cvecve-2025-3446cwe-863
Published: Thu May 15 2025 (05/15/2025, 10:43:46 UTC)
Source: CVE
Vendor/Project: Mattermost
Product: Mattermost

Description

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team.

AI-Powered Analysis

AILast updated: 07/06/2025, 12:11:15 UTC

Technical Analysis

CVE-2025-3446 is a medium-severity vulnerability affecting multiple versions of Mattermost, specifically versions 9.11.0 through 10.6.1. The issue is classified under CWE-863, which refers to Incorrect Authorization. The vulnerability arises because Mattermost fails to properly verify permissions when authenticated users attempt to add members to a team via the API. Specifically, users who have permission only to invite non-guest users to a team can exploit this flaw to add guest users instead. This bypasses intended access controls and authorization checks. The flaw impacts the integrity of team membership management by allowing unauthorized elevation of guest user additions. The vulnerability requires the attacker to be authenticated with at least limited privileges (permission to invite non-guest users), but no user interaction beyond API usage is needed. The CVSS v3.1 base score is 4.3, indicating a medium severity level, with an attack vector of network (remote exploitation), low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. There are no known exploits in the wild and no official patches linked yet. The vulnerability could be leveraged to manipulate team membership, potentially enabling further unauthorized access or information exposure within Mattermost deployments.

Potential Impact

For European organizations using affected versions of Mattermost, this vulnerability could undermine internal access controls by allowing authenticated users with limited permissions to add guest users to teams improperly. This could lead to unauthorized access to sensitive team communications, collaboration data, or internal resources shared within Mattermost teams. While the vulnerability does not directly compromise confidentiality or availability, the integrity of team membership and access control policies is weakened, increasing the risk of insider threats or lateral movement within the organization. Organizations in sectors with strict data protection regulations, such as finance, healthcare, or government, may face compliance risks if unauthorized users gain access to protected information. Additionally, guest users added without proper authorization could be used as a foothold for further attacks or data exfiltration. The impact is more pronounced in environments where Mattermost is used as a primary collaboration platform and where guest user permissions are tightly controlled.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should: 1) Immediately review and restrict permissions related to inviting users to teams, ensuring only fully trusted users have such privileges. 2) Monitor and audit team membership changes, especially additions of guest users, to detect unauthorized modifications. 3) Upgrade Mattermost to versions beyond those affected once patches are released, or apply any available vendor-provided workarounds or configuration changes that limit API access for user invitations. 4) Implement network-level controls such as API gateway restrictions or firewall rules to limit access to Mattermost APIs to trusted users and systems. 5) Educate administrators and users about the risk of unauthorized guest additions and enforce strict policies on guest user management. 6) If immediate patching is not possible, consider disabling or restricting API endpoints related to user invitations temporarily to reduce exposure.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Mattermost
Date Reserved
2025-04-08T11:30:51.635Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fb1484d88663aec74c

Added to database: 5/20/2025, 6:59:07 PM

Last enriched: 7/6/2025, 12:11:15 PM

Last updated: 8/16/2025, 12:55:55 AM

Views: 24

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats