CVE-2025-41423

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.x through 9.11.10 Mattermost versions 10.4.x through 10.4.2 Mattermost versions 10.5.x through 10.5.0

Description The issue concerns the improper validation of permissions for the API endpoint "/plugins/playbooks/api/v0/signal/keywords/ignore-thread". This allows any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.

Recommendations For versions 9.11.x through 9.11.10, update to a version that properly validates permissions for the API endpoint. For versions 10.4.x through 10.4.2, update to a version that properly validates permissions for the API endpoint. For versions 10.5.x through 10.5.0, update to a version that properly validates permissions for the API endpoint. As a temporary workaround, consider restricting access to the "/plugins/playbooks/api/v0/signal/keywords/ignore-thread" API endpoint until a patch is available.