CVE-2025-3446

Published May 15, 2025

Last updated a month ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-3446 affects Mattermost versions 10.6.x (<= 10.6.1), 10.5.x (<= 10.5.2), 10.4.x (<= 10.4.4), and 9.11.x (<= 9.11.11). The vulnerability stems from a failure to properly check permissions. This flaw allows authenticated users who possess permission to invite non-guest users to a team to bypass intended access controls. Specifically, they can add guest users to that team via the API, which they should not be authorized to do.

Description: Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team.
Source: responsibledisclosure@mattermost.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 4.3
Impact score: 1.4
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Severity: MEDIUM

Weaknesses

responsibledisclosure@mattermost.com: CWE-863

Hype score: Not currently trending

References