Mattermost RestrictSystemAdmin Bypass Vulnerability in Versions 10.5.x and 9.11.x

Vulnerability

A vulnerability exists in Mattermost versions 10.5.x through 10.5.3 and 9.11.x through 9.11.11, where the application fails to properly validate the RestrictSystemAdmin setting for users without access to ExperimentalSettings. This flaw allows a System Manager to access ExperimentSettings when RestrictSystemAdmin is enabled, potentially leading to unauthorized changes or access via the System Console.

Impact

Exploitation of this vulnerability could allow unauthorized access to ExperimentalSettings, enabling a System Manager to bypass restrictions and potentially manipulate settings or configurations that should be off-limits.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost RestrictSystemAdmin Bypass Vulnerability in Versions 10.5.x and 9.11.x

Vulnerability

Impact

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating