CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-3913: Team Privacy Settings Authorization Bypass in Mattermost Server

5.3 CVSS

Description

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.

Classification

CVE ID: CVE-2025-3913

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-863: Incorrect Authorization

Affected Products

Vendor: Mattermost

Product: Mattermost

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 10.44% (scored less or equal to compared to others)

EPSS Date: 2025-06-17 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3913
https://mattermost.com/security-updates

Timeline

2025-05-29 16:40:15 UTC
CVE

Team Privacy Settings Authorization Bypass in Mattermost Server
2025-05-29 23:15:32 UTC
Github Advisory Database (Go)

[github.com/mattermost/mattermost/server/v8] Mattermost improperly allows team administrators to modify team invites