CVE-2025-3913

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.x through 9.11.12 Mattermost versions 10.5.x through 10.5.3 Mattermost versions 10.6.x through 10.6.2 Mattermost versions 10.7.x through 10.7.0

Description The issue is related to the improper validation of permissions when changing team privacy settings. This allows team administrators without the 'invite user' permission to access and modify team invite IDs via the "/api/v4/teams/:teamId/privacy" endpoint.

Recommendations For versions 9.11.x through 9.11.12, update to a version that properly validates permissions for team administrators. For versions 10.5.x through 10.5.3, update to a version that properly validates permissions for team administrators. For versions 10.6.x through 10.6.2, update to a version that properly validates permissions for team administrators. For versions 10.7.x through 10.7.0, update to a version that properly validates permissions for team administrators. As a temporary workaround, consider restricting access to the "/api/v4/teams/:teamId/privacy" endpoint until a patch is available.