CVE-2025-3227 – github.com/mattermost/mattermost-server

Package

Manager: go
Name: github.com/mattermost/mattermost-server
Vulnerable Version: >=0 <0.0.0-20250520060012-d0380305ef7a

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00032 pctl0.0771

Details

Mattermost allows unauthorized channel member management through playbook runs Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

Metadata

Created: 2025-06-20T15:30:38Z
Modified: 2025-06-20T18:08:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-qwwm-c582-82rx/GHSA-qwwm-c582-82rx.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-qwwm-c582-82rx
Finding: F006
Auto approve: 1