CVE-2025-27715 — Incorrect Authorization in Mattermost Mattermost-server

CWE-863 — Incorrect Authorization5 documents4 sources

Severity

2.7LOWNVD

CNA3.3

EPSS

0.1%

top 75.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedMar 21

Latest updateMar 25

Description

Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.9

▶Gogithub.com/mattermost_mattermost-server9.11.0+incompatible — 9.11.9+incompatible

▶Gogithub.com/mattermost_mattermost_server_v89.11.0 — 9.11.9

▶CVEListV5mattermost/mattermost9.11.0 — 9.11.8

🔴Vulnerability Details

OSV

Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server↗2025-03-25

▶

OSV

Mattermost fail to prompt for explicit approval before adding a team admin to a private channel↗2025-03-21

▶

GHSA

Mattermost fail to prompt for explicit approval before adding a team admin to a private channel↗2025-03-21

▶

CVEList

Auto-Enrollment of Team Admins into Private Channels without explicit consent↗2025-03-21

▶