CVE-2025-3227 — Incorrect Authorization in Mattermost Mattermost-server

CWE-863 — Incorrect Authorization5 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 61.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedJun 20

Latest updateJul 28

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.16+4

▶Gogithub.com/mattermost_mattermost-server9.11.0+incompatible — 9.11.16+incompatible+5

▶Gogithub.com/mattermost_mattermost_server_v810.5.0 — 10.5.6+5

▶CVEListV5mattermost/mattermost10.5.0 — 10.5.5+4

🔴Vulnerability Details

OSV

Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server↗2025-07-28

▶

CVEList

Unauthorized channel member management through playbook runs↗2025-06-20

▶

OSV

Mattermost allows unauthorized channel member management through playbook runs↗2025-06-20

▶

GHSA

Mattermost allows unauthorized channel member management through playbook runs↗2025-06-20

▶