CVE-2025-3227

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.11.x through 9.11.15 Mattermost versions 10.5.x through 10.5.5 Mattermost versions 10.6.x through 10.6.5 Mattermost versions 10.7.x through 10.7.2 Mattermost versions 10.8.x through 10.8.0

Description: The issue is related to the improper enforcement of channel member management permissions in playbook runs. This allows authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

Recommendations: For Mattermost versions 9.11.x through 9.11.15, update to a version later than 9.11.15 to resolve the issue. For Mattermost versions 10.5.x through 10.5.5, update to a version later than 10.5.5 to resolve the issue. For Mattermost versions 10.6.x through 10.6.5, update to a version later than 10.6.5 to resolve the issue. For Mattermost versions 10.7.x through 10.7.2, update to a version later than 10.7.2 to resolve the issue. For Mattermost versions 10.8.x through 10.8.0, update to a version later than 10.8.0 to resolve the issue.