Mattermost Multi-Factor Authentication Bypass Vulnerability for User Management

Vulnerability

A vulnerability exists in Mattermost versions 10.5.x through 10.5.1 and 9.11.x through 9.11.9, where the application fails to properly enforce multi-factor authentication (MFA) checks in the API endpoint for user management. Specifically, when a user with the 'edit_other_users' permission sends a PUT request to modify MFA settings for a different user, the absence of proper MFA validation allows them to activate or deactivate MFA for that user, even if the user has not previously set up MFA.

Impact

Exploitation of this vulnerability allows users with the 'edit_other_users' permission to manipulate multi-factor authentication settings for other users, potentially leading to unauthorized access or actions on behalf of those users.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Multi-Factor Authentication Bypass Vulnerability for User Management

Vulnerability

Impact

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating