Authentication Bypass Vulnerability in Mattermost by Mattermost, Inc.
CVE-2025-25068
8.8HIGH
Summary
Mattermost versions faced a significant vulnerability where multi-factor authentication (MFA) was not enforced on certain plugin endpoints. This oversight allows authenticated attackers to bypass MFA protections by exploiting API requests made to plugin-specific routes. Organizations using these affected versions are urged to assess their security posture and apply necessary patches or upgrades to mitigate potential risks.
Affected Version(s)
Mattermost 10.4.0 <= 10.4.2
Mattermost 10.3.0 <= 10.3.3
Mattermost 9.11.0 <= 9.11.8
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
0x7oda7123