CVE-2025-3913 — Incorrect Authorization in Mattermost Mattermost-server

CWE-863 — Incorrect Authorization5 documents4 sources

Severity

3.8LOWNVD

CNA5.3

EPSS

0.3%

top 48.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedMay 29

Latest updateJun 3

Description

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.13+3

▶Gogithub.com/mattermost_mattermost-server9.0.0-rc1+incompatible — 9.11.13+incompatible+3

▶Gogithub.com/mattermost_mattermost_server_v810.7.0-rc1 — 10.7.1+4

▶CVEListV5mattermost/mattermost10.6.0 — 10.6.2+3

🔴Vulnerability Details

OSV

Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server↗2025-06-03

▶

CVEList

Team Privacy Settings Authorization Bypass in Mattermost Server↗2025-05-29

▶

OSV

Mattermost improperly allows team administrators to modify team invites↗2025-05-29

▶

GHSA

Mattermost improperly allows team administrators to modify team invites↗2025-05-29

▶