CVE-2025-3227

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

Published: Jun 20, 2025
Updated: Jul 1, 2025
CVE: CVE-2025-3227
GHSA: GHSA-qwwm-c582-82rx
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost-server	-	0.0.0-20250520060012-d0380305ef7a
github.com/mattermost/mattermost/server/v8	-	8.0.0-20250520060012-d0380305ef7a
github.com/mattermost/mattermost/server/v8	10.5.0	10.5.6
github.com/mattermost/mattermost/server/v8	9.11.0	9.11.16
github.com/mattermost/mattermost/server/v8	10.8.0	10.8.0.x
github.com/mattermost/mattermost/server/v8	10.8.0	10.8.1
github.com/mattermost/mattermost/server/v8	10.7.0	10.7.3
github.com/mattermost/mattermost/server/v8	10.6.0	10.6.6

https://mattermost.com/security-updates

Vulnerability Database

289,697

CVE-2025-3227