Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-qwwm-c582-82rx: Mattermost allows unauthorized channel member management through playbook runs

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the ‘Manage Channel Members’ permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

ghsa
#git#perl#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-3227

Mattermost allows unauthorized channel member management through playbook runs

Moderate severity GitHub Reviewed Published Jun 20, 2025 to the GitHub Advisory Database • Updated Jun 20, 2025

Package

gomod github.com/mattermost/mattermost-server (Go)

Affected versions

< 0.0.0-20250520060012-d0380305ef7a

Patched versions

0.0.0-20250520060012-d0380305ef7a

gomod github.com/mattermost/mattermost/server/v8 (Go)

< 8.0.0-20250520060012-d0380305ef7a

>= 10.5.0, <= 10.5.5

>= 9.11.0, <= 9.11.15

= 10.8.0

>= 10.7.0, <= 10.7.2

>= 10.6.0, <= 10.6.5

8.0.0-20250520060012-d0380305ef7a

10.5.6

9.11.16

10.8.1

10.7.3

10.6.6

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the ‘Manage Channel Members’ permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2025-3227
  • https://mattermost.com/security-updates

Published to the GitHub Advisory Database

Jun 20, 2025

Last updated

Jun 20, 2025

ghsa: Latest News

GHSA-6qhv-4h7r-2g9m: rfc3161-client has insufficient verification for timestamp response signatures