MFA Enforcement Bypass in Mattermost Web Application
CVE-2025-27538

2.2LOW

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 16 April 2025

Summary

The vulnerability in Mattermost allows users with the edit_other_users permission to bypass multi-factor authentication (MFA) checks when using specific API endpoints. This can lead to unauthorized modifications of MFA settings for other users, even if those users have not previously configured MFA. Affected versions include 10.5.x up to 10.5.1 and 9.11.x up to 9.11.9, posing a significant security risk by allowing potential exploitation of user account settings.

Affected Version(s)

Mattermost 10.5.0 <= 10.5.1

Mattermost 9.11.0 <= 9.11.9

Mattermost 10.6.0

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

2.2

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 16, 2025
Vulnerability Reserved
Apr 8, 2025

Credit

0x7oda7123