CVE-2025-41410
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-10-21
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.5.0 (inc) to 10.5.11 (exc) |
| mattermost | mattermost_server | From 10.10.0 (inc) to 10.10.3 (exc) |
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, and 10.11.x <= 10.11.2. It occurs because the software fails to validate email ownership during the Slack import process. This flaw allows attackers to create verified user accounts with arbitrary email domains by using malicious Slack import data, thereby bypassing email-based team access restrictions.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can create verified user accounts with arbitrary email addresses, potentially gaining unauthorized access to teams or resources that rely on email-based access restrictions. This could lead to unauthorized information disclosure or manipulation within the Mattermost environment.