Skip to main content

CVE-2025-3611: CWE-863: Incorrect Authorization in Mattermost Mattermost

Low
VulnerabilityCVE-2025-3611cvecve-2025-3611cwe-863
Published: Fri May 30 2025 (05/30/2025, 14:22:09 UTC)
Source: CVE Database V5
Vendor/Project: Mattermost
Product: Mattermost

Description

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.

AI-Powered Analysis

AILast updated: 07/08/2025, 16:14:08 UTC

Technical Analysis

CVE-2025-3611 is a security vulnerability identified in Mattermost, an open-source collaboration and messaging platform widely used for team communication. The flaw pertains to incorrect authorization (CWE-863) in certain versions of Mattermost (specifically versions 10.7.0, 10.5.0, and 9.11.0 and their respective minor versions up to 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, and 9.11.x <= 9.11.12). The vulnerability arises because Mattermost fails to properly enforce access control restrictions for users assigned the System Manager role. Even when the System Console is explicitly configured to deny these users access to Teams (set to 'No access'), authenticated users with System Manager privileges can still access team details by making direct API requests to team endpoints. This indicates a flaw in the backend authorization logic that bypasses the intended UI-level restrictions. The vulnerability does not allow modification or deletion of data (no integrity or availability impact) but does allow unauthorized disclosure of team details, impacting confidentiality. The CVSS v3.1 base score is 3.1 (low severity), reflecting that the attack vector is network-based, requires low privileges (System Manager role), has high attack complexity, no user interaction, and results in limited confidentiality impact only. There are no known exploits in the wild, and no patches have been linked yet. The issue was publicly disclosed on May 30, 2025.

Potential Impact

For European organizations using affected Mattermost versions, this vulnerability could lead to unauthorized disclosure of sensitive team information. Although the impact is limited to confidentiality and does not affect data integrity or service availability, the exposure of team details could reveal organizational structure, project information, or membership that attackers or insider threats could leverage for further attacks such as social engineering or targeted phishing. Organizations in sectors with strict data privacy regulations (e.g., GDPR) may face compliance risks if sensitive information is exposed. Since the vulnerability requires authenticated System Manager privileges, the risk is primarily from insider threats or compromised privileged accounts. However, given that System Manager roles typically have broad administrative capabilities, this flaw could be a stepping stone for privilege escalation or lateral movement if combined with other vulnerabilities or misconfigurations. The low CVSS score suggests limited immediate risk, but the potential for information leakage in regulated environments warrants attention.

Mitigation Recommendations

European organizations should first identify if they are running affected Mattermost versions (10.7.x <= 10.7.0, 10.5.x <= 10.5.3, or 9.11.x <= 9.11.12). Until an official patch is released, organizations should implement strict access controls around System Manager roles, limiting assignment only to trusted personnel. Monitoring and logging API requests to team endpoints can help detect unauthorized access attempts. Network segmentation and zero-trust principles should be applied to restrict access to Mattermost administrative interfaces. Additionally, organizations should review and tighten role-based access control (RBAC) policies, ensuring that System Manager privileges are minimized and audited regularly. If possible, disable or restrict API access for System Manager roles where not necessary. Organizations should also prepare to apply patches promptly once available and consider compensating controls such as multi-factor authentication (MFA) for privileged accounts to reduce the risk of credential compromise.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Mattermost
Date Reserved
2025-04-14T20:40:50.972Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6839c41d182aa0cae2b43552

Added to database: 5/30/2025, 2:43:41 PM

Last enriched: 7/8/2025, 4:14:08 PM

Last updated: 8/6/2025, 10:27:22 PM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats