PT-2025-42442 · Mattermost · Mattermost

Lordwillmore

Published

2025-10-16

Updated

2025-11-07

CVE-2025-10545

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.10 Mattermost versions 10.11.x through 10.11.2

Description The software does not correctly check permissions for guest users when adding members to channels. This allows guest users to add any team member to their private channels. The issue occurs through the /api/v4/channels/{channel id}/members API endpoint. The vulnerable parameter is channel id.

Recommendations Update Mattermost to a version later than 10.5.10. Update Mattermost to a version later than 10.11.2.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2025-10545

GHSA-424H-XJ87-M937

GO-2025-4030

OPENSUSE-SU-2025:15710-1

Affected Products

Mattermost

PT-2025-42442 · Mattermost · Mattermost

CVE-2025-10545

Weakness Enumeration

Related Identifiers

Affected Products

References · 86