CVE-2025-53971Incorrect Authorization in Mattermost Mattermost-server

CWE-863Incorrect Authorization5 documents4 sources
Severity
3.8LOWNVD
EPSS
0.0%
top 88.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+3 more
Timeline
PublishedAug 21
Latest updateAug 29

Description

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages6 packages

NVDmattermost/mattermost_server9.11.09.11.18+1
Gogithub.com/mattermost_mattermost-server9.11.0+incompatible9.11.18+incompatible+3
Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20250721095846-c602a4a78e1f
CVEListV5mattermost/mattermost10.5.010.5.8+1

🔴Vulnerability Details

4
OSV
Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server2025-08-29
CVEList
Channel and Team Membership APIs inadvertently allow loss of Member privileges.2025-08-21
OSV
Mattermost Fails to Properly Validate Team Role Modification2025-08-21
GHSA
Mattermost Fails to Properly Validate Team Role Modification2025-08-21
CVE-2025-53971 — Incorrect Authorization | cvebase