Mattermost allows unauthorized channel member management through playbook runs

GHSA-qwwm-c582-82rx · CVE-2025-3227 · GO-2025-3772

Published Jun 20, 2025 · Modified Jul 28, 2025

Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-3227
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes