CVE-2025-3913 is a medium-severity vulnerability affecting multiple versions of Mattermost, specifically versions 9.11.0 through 10.7.0. The issue stems from incorrect authorization checks (CWE-863) within the Mattermost platform's API endpoint /api/v4/teams/:teamId/privacy. This endpoint is responsible for managing team privacy settings. The vulnerability allows team administrators who do not possess the 'invite user' permission to access and modify team invite IDs. Essentially, the system fails to properly validate whether a team administrator has the necessary permissions to change invite-related settings, enabling unauthorized modification of team privacy configurations. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network (AV:N, PR:N, UI:N). The CVSS v3.1 base score is 5.3, indicating a medium severity level, with the primary impact being limited to confidentiality (C:L), while integrity and availability remain unaffected (I:N, A:N). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on May 29, 2025, and was reserved on April 23, 2025. The flaw could allow unauthorized users to gain access to team invite IDs, potentially enabling them to invite unauthorized users or gain insight into team membership, thereby compromising confidentiality of team membership information.

For European organizations using Mattermost versions 9.11.0 through 10.7.0, this vulnerability could lead to unauthorized disclosure of team invite IDs and potentially unauthorized invitations to private teams. This could result in unauthorized access to internal communications and collaboration spaces, exposing sensitive organizational information. While the vulnerability does not directly impact data integrity or availability, the confidentiality breach could facilitate further social engineering or insider threats. Organizations in regulated sectors such as finance, healthcare, and government could face compliance risks if unauthorized access leads to exposure of personal or sensitive data. Additionally, the breach of team privacy settings could undermine trust in internal communication platforms, impacting operational security and collaboration efficiency.

To mitigate this vulnerability, European organizations should: 1) Immediately audit Mattermost deployments to identify affected versions (9.11.0 through 10.7.0). 2) Apply any available patches or updates from Mattermost as soon as they are released. In the absence of official patches, consider temporary workarounds such as restricting team administrator roles to trusted personnel only and limiting the assignment of 'team administrator' privileges. 3) Implement strict monitoring and logging of API calls to the /api/v4/teams/:teamId/privacy endpoint to detect unauthorized access attempts or modifications to team privacy settings. 4) Review and tighten role-based access controls (RBAC) within Mattermost to ensure that only users with explicit 'invite user' permissions can modify invite-related settings. 5) Educate team administrators about the risks of unauthorized invite modifications and encourage prompt reporting of suspicious activity. 6) Consider network-level controls such as IP whitelisting or VPN requirements for accessing Mattermost administrative functions to reduce exposure. 7) Conduct regular security assessments and penetration testing focused on Mattermost deployments to identify and remediate similar authorization issues proactively.