CVE-2025-3611

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.7.x through 10.7.0 Mattermost versions 10.5.x through 10.5.3 Mattermost versions 9.11.x through 9.11.12

Description The issue is related to the failure of Mattermost to properly enforce access control restrictions for System Manager roles. This allows authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.

Recommendations For Mattermost versions 10.7.x through 10.7.0, update to a version that properly enforces access control restrictions. For Mattermost versions 10.5.x through 10.5.3, update to a version that properly enforces access control restrictions. For Mattermost versions 9.11.x through 9.11.12, update to a version that properly enforces access control restrictions. As a temporary workaround, consider restricting access to team endpoints for System Manager roles until a patch is available.