CVE-2025-2570Incorrect Authorization in Mattermost Mattermost-server

CWE-863Incorrect Authorization5 documents4 sources
Severity
2.7LOWNVD
EPSS
0.2%
top 55.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedMay 15
Latest updateMay 23

Description

Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.12+1
Gogithub.com/mattermost_mattermost-server9.11.0+incompatible9.11.12+incompatible+1
CVEListV5mattermost/mattermost10.5.010.5.2+1

🔴Vulnerability Details

4
OSV
Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server2025-05-23
GHSA
Mattermost Fails to Check User Access to `ExperimentalSettings`2025-05-15
CVEList
System Admin Cannot Access Environment settings in System Console While System Manager Can2025-05-15
OSV
Mattermost Fails to Check User Access to `ExperimentalSettings`2025-05-15
CVE-2025-2570 — Incorrect Authorization | cvebase