CVE-2025-3228Incorrect Authorization in Mattermost Mattermost-server

CWE-863Incorrect Authorization5 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 59.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedJun 20
Latest updateJul 28

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.16+4
Gogithub.com/mattermost_mattermost-server9.11.0+incompatible9.11.16+incompatible+5
CVEListV5mattermost/mattermost10.5.010.5.5+4

🔴Vulnerability Details

4
OSV
Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server2025-07-28
CVEList
Unauthorized Guest user access to Playbook2025-06-20
GHSA
Mattermost allows an unauthorized Guest user access to Playbook2025-06-20
OSV
Mattermost allows an unauthorized Guest user access to Playbook2025-06-20
CVE-2025-3228 — Incorrect Authorization | cvebase