Listen to this Post
How the CVE Works
Mattermost fails to enforce channel member permissions during playbook runs. Authenticated users without “Manage Channel Members” privileges can manipulate playbook run participants linked to a channel, allowing unauthorized addition or removal of users from public/private channels. The vulnerability stems from inadequate permission checks when modifying playbook run participants, bypassing intended restrictions.
DailyCVE Form
Platform: Mattermost
Version: 10.5.5, 9.11.15, 10.8.0, 10.7.2, 10.6.5
Vulnerability: Improper Access Control
Severity: Moderate
Date: Jun 20, 2025
Prediction: Patch by Jul 10, 2025
What Undercode Say
Check playbook run permissions
curl -X GET /api/v4/runs/<run_id>/permissions
Exploit PoC (simulated)
curl -X POST /api/v4/runs/<run_id>/participants -d '{"user_id":"attacker"}'
How Exploit
1. Authenticate as low-privilege user.
2. Link playbook run to target channel.
3. Add/remove users via run participants API.
Protection from this CVE
- Upgrade to 10.5.6, 9.11.16, 10.8.1, 10.7.3, or 10.6.6.
2. Restrict playbook run API access.
3. Audit channel membership logs.
Impact
Unauthorized channel member modifications, privilege escalation, team disruption.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
