Improper Access Control in Mattermost for Team Admins
CVE-2025-27715
2.7LOW
Summary
Mattermost versions 9.11.x up to 9.11.8 contain a significant flaw in their access control mechanism. This vulnerability allows team admins to be added to private channels without their explicit approval. It enables unauthorized access when crafted permalink links are used, which undermines the privacy and security of sensitive conversations within private channels.
Affected Version(s)
Mattermost 9.11.0 <= 9.11.8
Mattermost 10.5.0
Mattermost 9.11.9
References
CVSS V3.1
Score:
2.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Joram Wilander