CVE-2025-3228

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.

Published: Jun 20, 2025
Updated: Jul 2, 2025
CVE: CVE-2025-3228
GHSA: GHSA-4578-6gjh-f2jm
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost-server	-	0.0.0-20250520060012-d0380305ef7a
github.com/mattermost/mattermost/server/v8	-	8.0.0-20250520060012-d0380305ef7a
github.com/mattermost/mattermost/server/v8	10.5.0	10.5.6
github.com/mattermost/mattermost/server/v8	9.11.0	9.11.16
github.com/mattermost/mattermost/server/v8	10.8.0	10.8.0.x
github.com/mattermost/mattermost/server/v8	10.8.0	10.8.1
github.com/mattermost/mattermost/server/v8	10.7.0	10.7.3
github.com/mattermost/mattermost/server/v8	10.6.0	10.6.6

https://mattermost.com/security-updates

Vulnerability Database

289,784

CVE-2025-3228