CVE-2025-46702
BaseFortify
Publication date: 2025-06-30
Last updated on: 2025-07-08
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 9.11.0 (inc) to 9.11.16 (exc) |
| mattermost | mattermost_server | From 10.5.0 (inc) to 10.5.6 (exc) |
| mattermost | mattermost_server | From 10.6.0 (inc) to 10.6.6 (exc) |
| mattermost | mattermost_server | From 10.7.0 (inc) to 10.7.3 (exc) |
| mattermost | mattermost_server | 10.8.0 |
| mattermost | mattermost_server | 10.8.0 |
| mattermost | mattermost_server | 10.8.0 |
| mattermost | mattermost_server | 10.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, and 10.6.x <= 10.6.5 allows authenticated users with member-level permissions to bypass system admin restrictions when managing channel members in playbook runs. Specifically, these users can add or remove participants in private channels even if the 'Manage Members' permission has been removed, leading to unauthorized changes in channel membership.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive content within private channels by allowing users without proper admin rights to add or remove participants. It also enables guest users to gain channel management privileges, potentially compromising the confidentiality and integrity of communications within the affected Mattermost channels.