CVE-2025-46702Incorrect Authorization in Mattermost Mattermost-server

CWE-863Incorrect Authorization6 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 77.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedJun 30
Latest updateJul 28

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauth

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.16+4
Gogithub.com/mattermost_mattermost-server9.11.0+incompatible9.11.16+incompatible+5
CVEListV5mattermost/mattermost10.5.010.5.5+4

🔴Vulnerability Details

4
OSV
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server2025-07-28
GHSA
Mattermost Incorrect Authorization vulnerability2025-06-30
OSV
Mattermost Incorrect Authorization vulnerability2025-06-30
CVEList
Mattermost Playbooks allows privilege escalation through improper access control in playbook run participant management2025-06-30

📋Vendor Advisories

1
Microsoft
thunderbolt: Mark XDomain as unplugged when router is removed2024-09-10
CVE-2025-46702 — Incorrect Authorization | cvebase