CVE-2025-30179Incorrect Authorization in Mattermost Mattermost-server

CWE-863Incorrect Authorization5 documents4 sources
Severity
6.5MEDIUMNVD
CNA4.3
EPSS
0.0%
top 91.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedMar 21
Latest updateMar 25

Description

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.9+2
Gogithub.com/mattermost_mattermost-server9.11.0+incompatible9.11.9+incompatible+3
CVEListV5mattermost/mattermost10.4.010.4.2+2

🔴Vulnerability Details

4
OSV
Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server2025-03-25
CVEList
MFA Enforcement Bypass in Search APIs2025-03-21
GHSA
Mattermost Fails to Enforce Certain Search APIs2025-03-21
OSV
Mattermost Fails to Enforce Certain Search APIs2025-03-21
CVE-2025-30179 — Incorrect Authorization | cvebase