Skip to main content

CVE-2025-3913: CWE-863: Incorrect Authorization in Mattermost Mattermost

Medium
VulnerabilityCVE-2025-3913cvecve-2025-3913cwe-863
Published: Thu May 29 2025 (05/29/2025, 15:10:36 UTC)
Source: CVE Database V5
Vendor/Project: Mattermost
Product: Mattermost

Description

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.

AI-Powered Analysis

AILast updated: 07/07/2025, 23:12:08 UTC

Technical Analysis

CVE-2025-3913 is a medium-severity vulnerability affecting multiple versions of Mattermost, specifically versions 9.11.0 through 10.7.0. The issue stems from incorrect authorization checks (CWE-863) within the Mattermost platform's API endpoint /api/v4/teams/:teamId/privacy. This endpoint is responsible for managing team privacy settings. The vulnerability allows team administrators who do not possess the 'invite user' permission to access and modify team invite IDs. Essentially, the system fails to properly validate whether a team administrator has the necessary permissions to change invite-related settings, enabling unauthorized modification of team privacy configurations. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network (AV:N, PR:N, UI:N). The CVSS v3.1 base score is 5.3, indicating a medium severity level, with the primary impact being limited to confidentiality (C:L), while integrity and availability remain unaffected (I:N, A:N). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on May 29, 2025, and was reserved on April 23, 2025. The flaw could allow unauthorized users to gain access to team invite IDs, potentially enabling them to invite unauthorized users or gain insight into team membership, thereby compromising confidentiality of team membership information.

Potential Impact

For European organizations using Mattermost versions 9.11.0 through 10.7.0, this vulnerability could lead to unauthorized disclosure of team invite IDs and potentially unauthorized invitations to private teams. This could result in unauthorized access to internal communications and collaboration spaces, exposing sensitive organizational information. While the vulnerability does not directly impact data integrity or availability, the confidentiality breach could facilitate further social engineering or insider threats. Organizations in regulated sectors such as finance, healthcare, and government could face compliance risks if unauthorized access leads to exposure of personal or sensitive data. Additionally, the breach of team privacy settings could undermine trust in internal communication platforms, impacting operational security and collaboration efficiency.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should: 1) Immediately audit Mattermost deployments to identify affected versions (9.11.0 through 10.7.0). 2) Apply any available patches or updates from Mattermost as soon as they are released. In the absence of official patches, consider temporary workarounds such as restricting team administrator roles to trusted personnel only and limiting the assignment of 'team administrator' privileges. 3) Implement strict monitoring and logging of API calls to the /api/v4/teams/:teamId/privacy endpoint to detect unauthorized access attempts or modifications to team privacy settings. 4) Review and tighten role-based access controls (RBAC) within Mattermost to ensure that only users with explicit 'invite user' permissions can modify invite-related settings. 5) Educate team administrators about the risks of unauthorized invite modifications and encourage prompt reporting of suspicious activity. 6) Consider network-level controls such as IP whitelisting or VPN requirements for accessing Mattermost administrative functions to reduce exposure. 7) Conduct regular security assessments and penetration testing focused on Mattermost deployments to identify and remediate similar authorization issues proactively.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Mattermost
Date Reserved
2025-04-23T23:15:35.771Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68387d4e182aa0cae2831687

Added to database: 5/29/2025, 3:29:18 PM

Last enriched: 7/7/2025, 11:12:08 PM

Last updated: 8/12/2025, 4:49:48 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats