CVE-2025-22449 — Incorrect Authorization in Mattermost Mattermost Server V8

CWE-863 — Incorrect Authorization6 documents5 sources

Severity

3.8LOWNVD

EPSS

0.1%

top 75.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost Server V8 Mattermost Server Mattermost +1 more

Timeline

PublishedJan 9

Description

Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.6

▶Gogithub.com/mattermost_mattermost_server_v89.11.0 — 9.11.6+1

▶CVEListV5mattermost/mattermost9.11.0 — 9.11.5

▶Gogithub.com/mattermost_mattermost-server

🔴Vulnerability Details

OSV

Mattermost Incorrect Authorization vulnerability↗2025-01-09

▶

CVEList

Access control flaw for team admins allows unauthorized team additions↗2025-01-09

▶

OSV

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server↗2025-01-09

▶

GHSA

Mattermost Incorrect Authorization vulnerability↗2025-01-09

▶

📋Vendor Advisories

Red Hat

mattermost: Access control flaw for team admins allows unauthorized team additions↗2025-01-09

▶