PT-2025-42443 · Mattermost · Mattermost

Daw10

Published

2025-10-16

Updated

2025-11-07

CVE-2025-41410

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.10.x through 10.10.2 Mattermost versions 10.5.x through 10.5.10 Mattermost versions 10.11.x through 10.11.2

Description The software does not properly validate email ownership during a Slack import process. This allows attackers to create verified user accounts with arbitrary email domains by providing malicious Slack import data. This bypasses email-based team access restrictions.

Recommendations Update Mattermost to a version later than 10.10.2. Update Mattermost to a version later than 10.5.10. Update Mattermost to a version later than 10.11.2.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BDU:2025-13340

CVE-2025-41410

GHSA-3Q4Q-WQM6-HVF3

GO-2025-4029

OPENSUSE-SU-2025:15710-1

Affected Products

Mattermost

PT-2025-42443 · Mattermost · Mattermost

CVE-2025-41410

Weakness Enumeration

Related Identifiers

Affected Products

References · 86