CVE-2025-14660
Unknown Unknown - Not Provided
Improper Access Control in DecoCMS Workspace Domain Handler

Publication date: 2025-12-14

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipulation of the argument domain causes improper access controls. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been published and may be used. Upgrading to version 1.0.0-alpha.32 addresses this issue. Patch name: 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d. It is recommended to upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-14
Last Modified
2026-04-29
Generated
2026-06-19
AI Q&A
2025-12-14
EPSS Evaluated
2026-06-18
NVD
CVE-2025-14660
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
decocms mesh 1.0.0-alpha.31
decocms mesh 1.0.0-alpha.32
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring attempts to auto-join workspaces using the team auto-join functionality with mismatched email domains. Specifically, look for requests to the autoJoinTeam handler in the DecoCMS Mesh platform where the domain parameter is manipulated or does not match the authenticated user's email domain. Since the exploit involves sending a request with a domain argument to join a workspace without proper authorization, you can detect suspicious activity by inspecting logs or network traffic for such requests. There are no explicit commands provided in the resources, but you can use network monitoring tools (e.g., tcpdump, Wireshark) or application logs to identify unauthorized auto-join attempts. For example, searching logs for errors like "UserInputError" with messages about domain mismatches could indicate attempted exploitation. Additionally, reviewing access logs for unusual workspace join requests from unauthenticated or unauthorized users may help detect exploitation attempts. Ultimately, upgrading to version 1.0.0-alpha.32 is recommended to mitigate this issue. [2, 3, 4]

Executive Summary

CVE-2025-14660 is an improper access control vulnerability in DecoCMS Mesh up to version 1.0.0-alpha.31. It affects the workspace auto-join feature, specifically the function createTool in the Workspace Domain Handler component. The flaw allows an attacker to bypass authorization checks and join any workspace simply by knowing the workspace's domain, without verifying that the user's email domain matches the workspace domain. This means unauthorized users can gain access to workspaces they should not have access to. The vulnerability is remotely exploitable but considered difficult to exploit. It was fixed in version 1.0.0-alpha.32 by adding strict domain validation to ensure only users with matching email domains can auto-join the corresponding teams. [2, 3, 4, 5]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to gain access to your workspaces in DecoCMS Mesh simply by knowing the workspace domain. This unauthorized access can lead to exposure of confidential information, unauthorized modifications, and potential disruption of services within the workspace. Since the vulnerability affects confidentiality, integrity, and availability, it poses a risk of data breaches, privilege escalation, and operational impact. Exploitation is remote and does not require authentication, increasing the risk if the system is not patched. [3, 5]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade DecoCMS Mesh to version 1.0.0-alpha.32, which includes a patch that enforces strict domain validation during the team auto-join process. This patch ensures that only users whose email domain matches the workspace domain can join the workspace, preventing unauthorized access. The patch is identified by commit 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d and was merged on December 7, 2025. [1, 2, 4, 5]

Compliance Impact

The provided resources do not contain information on how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14660. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart