CVE-2025-3446Incorrect Authorization in Mattermost Mattermost-server

CWE-863Incorrect AuthorizationCWE-1333Regex Denial of Service6 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 59.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedMay 15
Latest updateMay 23

Description

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.12+3
Gogithub.com/mattermost_mattermost-server9.11.0+incompatible9.11.12+incompatible+3
CVEListV5mattermost/mattermost10.6.010.6.1+3

🔴Vulnerability Details

4
OSV
Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server2025-05-23
CVEList
Members Without Guest Invite Permissions Can Add Guests to Teams2025-05-15
GHSA
Mattermost Fails to Validate Team Invite Permissions2025-05-15
OSV
Mattermost Fails to Validate Team Invite Permissions2025-05-15

📋Vendor Advisories

1
Microsoft
Excessive time spent checking DH keys and parameters2023-07-11
CVE-2025-3446 — Incorrect Authorization | cvebase