CVE-2025-31947 — Overly Restrictive Account Lockout Mechanism in Mattermost Mattermost-server

CWE-645 — Overly Restrictive Account Lockout Mechanism5 documents4 sources

Severity

5.3MEDIUMNVD

CNA5.8

EPSS

0.4%

top 41.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedMay 15

Latest updateMay 23

Description

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Mattermost.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.12+3

▶Gogithub.com/mattermost_mattermost-server9.11.0+incompatible — 9.11.12+incompatible+3

▶Gogithub.com/mattermost_mattermost_server_v810.6.0 — 10.6.2+4

▶CVEListV5mattermost/mattermost10.6.0 — 10.6.1+3

🔴Vulnerability Details

OSV

Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server↗2025-05-23

▶

GHSA

Mattermost Fails to Lockout LDAP Users After Repeated Login Failures↗2025-05-15

▶

OSV

Mattermost Fails to Lockout LDAP Users After Repeated Login Failures↗2025-05-15

▶

CVEList

Repeated LDAP login failures can lock an LDAP account↗2025-05-15

▶