CVE-2025-3611: Improper Access Control in Mattermost allows System Managers to view team details despite role restrictions

3.1 CVSS

Description

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.

Classification

CVE ID: CVE-2025-3611

CVSS Base Severity: LOW

CVSS Base Score: 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-863: Incorrect Authorization

Affected Products

Vendor: Mattermost

Product: Mattermost

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3611
https://mattermost.com/security-updates

Timeline

2025-05-30 15:40:18 UTC
CVE

Improper Access Control in Mattermost allows System Managers to view team details despite role restrictions