CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-46702: Mattermost Playbooks allows privilege escalation through improper access control in playbook run participant management

5.4 CVSS

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized access to sensitive channel content and allow guest users to gain channel management privileges.

Classification

CVE ID: CVE-2025-46702

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem Types

CWE-863: Incorrect Authorization

Affected Products

Vendor: Mattermost

Product: Mattermost

References

https://nvd.nist.gov/vuln/detail/CVE-2025-46702
https://mattermost.com/security-updates

Timeline

2025-06-30 17:40:13 UTC
CVE

Mattermost Playbooks allows privilege escalation through improper access control in playbook run participant management
2025-06-30 21:15:21 UTC
Github Advisory Database (Go)

[github.com/mattermost/mattermost/server/v8] Mattermost Incorrect Authorization vulnerability
2025-06-30 21:15:22 UTC
Github Advisory Database (Go)

[github.com/mattermost/mattermost-server] Mattermost Incorrect Authorization vulnerability