CVE-2025-3611 — Incorrect Authorization in Mattermost Mattermost-server

CWE-863 — Incorrect Authorization CWE-787 — Out-of-bounds Write6 documents5 sources

Severity

4.3MEDIUMNVD

CNA3.1

EPSS

0.1%

top 66.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedMay 30

Latest updateJun 3

Description

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.13+2

▶Gogithub.com/mattermost_mattermost-server9.0.0-rc1+incompatible — 9.11.13+incompatible+2

▶Gogithub.com/mattermost_mattermost_server_v810.6.0-rc1 — 10.7.1+3

▶CVEListV5mattermost/mattermost10.5.0 — 10.5.3+2

🔴Vulnerability Details

OSV

Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server↗2025-06-03

▶

CVEList

Improper Access Control in Mattermost allows System Managers to view team details despite role restrictions↗2025-05-30

▶

OSV

Mattermost fails to properly enforce access control restrictions for System Manager roles↗2025-05-30

▶

GHSA

Mattermost fails to properly enforce access control restrictions for System Manager roles↗2025-05-30

▶

📋Vendor Advisories

Microsoft

Out-of-bounds write in Linux kernel's net/sched: sch_qfq component↗2023-07-11

▶