Listen to this Post
Mattermost fails to enforce proper access checks for the `ExperimentalSettings` feature when `RestrictSystemAdmin` is enabled. In affected versions (10.5.0–10.5.2, 9.11.0–9.11.11), a System Manager can bypass intended restrictions and access experimental settings in the System Console. The vulnerability occurs due to missing validation when the `RestrictSystemAdmin` flag is active, allowing unauthorized modifications to experimental configurations.
DailyCVE Form:
Platform: Mattermost
Version: 10.5.0–10.5.2
Vulnerability: Improper Access Control
Severity: Low
Date: May 17, 2025
What Undercode Say:
Exploitation:
1. Attacker logs in as System Manager.
2. Accesses System Console despite `RestrictSystemAdmin`.
3. Modifies `ExperimentalSettings` without proper checks.
Mitigation:
1. Upgrade to patched versions (10.5.3, 9.11.12).
2. Disable experimental features if unused.
3. Audit System Manager permissions.
Analytics:
- CVSS Score: 3.5 (Low)
- Attack Vector: Network
- Privilege Required: Low
Commands:
Check Mattermost version curl -s http://localhost:8065/api/v4/config/client | grep "Version" Apply patch docker pull mattermost/mattermost-team-edition:10.5.3
Code Snippet (Check Access):
func CheckExperimentalAccess(user model.User) bool {
if !user.IsSystemManager() || !utils.Cfg.RestrictSystemAdmin {
return false
}
return true
}
Log Monitoring:
grep "ExperimentalSettings" /var/log/mattermost.log
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
