Headline
GHSA-qwwm-c582-82rx: Mattermost allows unauthorized channel member management through playbook runs
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the ‘Manage Channel Members’ permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-3227
Mattermost allows unauthorized channel member management through playbook runs
Moderate severity GitHub Reviewed Published Jun 20, 2025 to the GitHub Advisory Database • Updated Jun 20, 2025
Package
gomod github.com/mattermost/mattermost-server (Go)
Affected versions
< 0.0.0-20250520060012-d0380305ef7a
Patched versions
0.0.0-20250520060012-d0380305ef7a
gomod github.com/mattermost/mattermost/server/v8 (Go)
< 8.0.0-20250520060012-d0380305ef7a
>= 10.5.0, <= 10.5.5
>= 9.11.0, <= 9.11.15
= 10.8.0
>= 10.7.0, <= 10.7.2
>= 10.6.0, <= 10.6.5
8.0.0-20250520060012-d0380305ef7a
10.5.6
9.11.16
10.8.1
10.7.3
10.6.6
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the ‘Manage Channel Members’ permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-3227
- https://mattermost.com/security-updates
Published to the GitHub Advisory Database
Jun 20, 2025
Last updated
Jun 20, 2025