GHSA-v8fr-vxmw-6mf6

Source

https://github.com/advisories/GHSA-v8fr-vxmw-6mf6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-v8fr-vxmw-6mf6/GHSA-v8fr-vxmw-6mf6.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-v8fr-vxmw-6mf6

Aliases

CVE-2025-46702

Published

2025-06-30T18:31:50Z

Modified

2025-06-30T20:57:12.875949Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Mattermost Incorrect Authorization vulnerability

Details

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized access to sensitive channel content and allow guest users to gain channel management privileges.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2025-06-30T17:15:32Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-863"
    ],
    "github_reviewed_at": "2025-06-30T20:40:33Z"
}

References

Affected packages

Go / github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.0-20250513065225-4ae5d647fb88

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20250513065225-4ae5d647fb88

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

9.11.0

Fixed

9.11.16

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.5.0

Fixed

10.5.6

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.6.0

Fixed

10.6.6

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.7.0

Fixed

10.7.3

Go / github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.8.0

Fixed

10.8.1