CVE-2025-2570

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.5.x through 10.5.3 Mattermost versions 9.11.x through 9.11.11

Description: The issue arises when a user lacks access to ExperimentalSettings, causing the system to fail in checking the RestrictSystemAdmin setting. This allows a System Manager to access ExperimentSettings even when RestrictSystemAdmin is set to true, which can be done via the System Console.

Recommendations: For Mattermost versions 10.5.x through 10.5.3, update to a version later than 10.5.3 to resolve the issue. For Mattermost versions 9.11.x through 9.11.11, update to a version later than 9.11.11 to resolve the issue. As a temporary workaround, consider restricting access to ExperimentSettings for System Managers until a patch is available.