CVE-2025-32093

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation.

Published: Apr 14, 2025
Updated: Jun 30, 2025
CVE: CVE-2025-32093
GHSA: GHSA-322v-vh2g-qvpv
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost-server	10.5.0	10.5.2
github.com/mattermost/mattermost-server	10.4.0	10.4.4
github.com/mattermost/mattermost-server	9.11.0	9.11.10
github.com/mattermost/mattermost/server/v8	10.5.0	10.5.2
github.com/mattermost/mattermost/server/v8	10.4.0	10.4.4
github.com/mattermost/mattermost/server/v8	9.11.0	9.11.10
github.com/mattermost/mattermost/server/v8	-	8.0.0-20250227102013-aa4623a93199

Vulnerability Database

289,784

CVE-2025-32093