CVE-2025-27715 LOW

CVE-2025-27715: Auto-Enrollment of Team Admins into Private Channels without explicit consent

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published March 21, 2025
Last update March 21, 2025

CVSS base score

3.3/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.

Key dates

02Disclosure timeline

March 21, 2025 CVE published
March 21, 2025 Record updated