PT-2025-12407 · Mattermost · Mattermost

Joram Wilander

Published

2025-03-21

Updated

2025-03-28

CVE-2025-27715

CVSS v3.1

3.3

Low

Vector

AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.x through 9.11.8

Description The issue concerns the lack of explicit approval before adding a team admin to a private channel. This allows team admins to join private channels via crafted permalink links without explicit consent.

Recommendations For Mattermost versions 9.11.x through 9.11.8, consider restricting access to private channels until a fix is available, and ensure that team admins are aware of the potential for unauthorized access to these channels.

Fix

LPE

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

BIT-MATTERMOST-2025-27715

CVE-2025-27715

GHSA-CW7Q-5CGC-H3H9

GO-2025-3555

OPENSUSE-SU-2025:14937-1

Affected Products

Mattermost

PT-2025-12407 · Mattermost · Mattermost

CVE-2025-27715

Weakness Enumeration

Related Identifiers

Affected Products

References · 45