cbcvebase.
CVE-2025-3611
published 2025-05-30

CVE-2025-3611: Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles…

medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.

Affected

19 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 10.0.0-rc1+incompatible < 10.5.4+incompatible10.5.4+incompatible
github.commattermost_mattermost-server>= 10.6.0-rc1+incompatible < 10.7.1+incompatible10.7.1+incompatible
github.commattermost_mattermost-server>= 9.0.0-rc1+incompatible < 9.11.13+incompatible9.11.13+incompatible
github.commattermost_mattermost_server_v8>= 0 < 8.0.0-20250414154356-6f33b721de768.0.0-20250414154356-6f33b721de76
github.commattermost_mattermost_server_v8>= 10.0.0-rc1 < 10.5.410.5.4
github.commattermost_mattermost_server_v8>= 10.6.0-rc1 < 10.7.110.7.1
github.commattermost_mattermost_server_v8>= 9.0.0-rc1 < 9.11.139.11.13
mattermostmattermost
mattermostmattermost10.5.0 – 10.5.3
mattermostmattermost9.11.0 – 9.11.12
mattermostmattermost_server
mattermostmattermost_server>= 10.5.0 < 10.5.410.5.4
mattermostmattermost_server>= 9.11.0 < 9.11.139.11.13
msrccbl2_kernel_5.15.122.1-2_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_kernel_5.10.188.1-1_on_cbl_mariner_1.0