CVE-2025-3611

EUVD-2025-16492
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
mattermostmattermost_server
9.11.0 ≤
𝑥
< 9.11.13
mattermostmattermost_server
10.5.0 ≤
𝑥
< 10.5.4
mattermostmattermost_server
10.7.0
mattermostmattermost_server
10.7.0:rc1
mattermostmattermost_server
10.7.0:rc2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mattermost.com/security-updates