MFA Enforcement Bypass in Mattermost Web Application
CVE-2025-27538
2.2LOW
What is CVE-2025-27538?
The vulnerability in Mattermost allows users with the edit_other_users permission to bypass multi-factor authentication (MFA) checks when using specific API endpoints. This can lead to unauthorized modifications of MFA settings for other users, even if those users have not previously configured MFA. Affected versions include 10.5.x up to 10.5.1 and 9.11.x up to 9.11.9, posing a significant security risk by allowing potential exploitation of user account settings.
Affected Version(s)
Mattermost 10.5.0 <= 10.5.1
Mattermost 9.11.0 <= 9.11.9
Mattermost 10.6.0