Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team.
Fixes

Solution

Update Mattermost to versions 10.7.0, 10.6.2, 10.5.3, 10.4.5, 9.11.12 or higher.


Workaround

No workaround given by the vendor.

References
History

Mon, 29 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Thu, 15 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 15 May 2025 10:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team.
Title Members Without Guest Invite Permissions Can Add Guests to Teams
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2025-05-15T13:41:54.267Z

Reserved: 2025-04-08T11:30:51.635Z

Link: CVE-2025-3446

cve-icon Vulnrichment

Updated: 2025-05-15T13:41:21.898Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-15T11:15:48.777

Modified: 2025-09-29T21:05:33.320

Link: CVE-2025-3446

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-06-24T09:44:20Z