CVE-2025-4573

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.7.x through 10.7.1 Mattermost versions 10.6.x through 10.6.3 Mattermost versions 10.5.x through 10.5.4 Mattermost versions 9.11.x through 9.11.13

Description The issue is related to the improper validation of LDAP group ID attributes. This allows an authenticated administrator with the PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the "PUT /api/v4/ldap/groups/{remote id}/link" API endpoint when objectGUID is configured as the Group ID Attribute.

Recommendations For Mattermost versions 10.7.x through 10.7.1, update to a version later than 10.7.1 to resolve the issue. For Mattermost versions 10.6.x through 10.6.3, update to a version later than 10.6.3 to resolve the issue. For Mattermost versions 10.5.x through 10.5.4, update to a version later than 10.5.4 to resolve the issue. For Mattermost versions 9.11.x through 9.11.13, update to a version later than 9.11.13 to resolve the issue. As a temporary workaround, consider restricting access to the "PUT /api/v4/ldap/groups/{remote id}/link" API endpoint until a patch is available.