Primary

Context

Mattermost Improper Channel Member Management Vulnerability in Playbook Runs

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.5.x through 10.5.5, 9.11.x through 9.11.15, 10.8.x through 10.8.0, 10.7.x through 10.7.2, and 10.6.x through 10.6.5. The issue arises from the application's failure to properly enforce permissions related to channel member management during playbook runs. This flaw allows authenticated users lacking the 'Manage Channel Members' permission to add or remove users from both public and private channels. The exploitation involves manipulating playbook run participants when the run is associated with a channel.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in channel membership, allowing users to add or remove participants from channels without the necessary permissions.

Remediation

Users can upgrade to Mattermost versions 10.9.0, 10.8.2, 10.7.4, 10.6.6, or 9.11.17 to address this vulnerability.

Added: Jun 20, 2025, 6:13 PM

Updated: Jun 20, 2025, 6:13 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Improper Channel Member Management Vulnerability in Playbook Runs

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating