CVE-2025-30179 MEDIUM

CVE-2025-30179: MFA Enforcement Bypass in Search APIs

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published March 21, 2025
Last update March 21, 2025
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.

Key dates

02Disclosure timeline

March 21, 2025 CVE published
March 21, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-6837 Incorrect Authorization in Multiple WSO2 Products via Federated Authentication with JIT Provisioning Leading to User Impersonation CVE-2025-3227 Unauthorized channel member management through playbook runs CVE-2026-30241 Mercurius: queryDepth limit bypassed for WebSocket subscriptions CVE-2025-24866 Unauthorized Access to User Activity Logs API by delegated granular administration roles CVE-2023-27485 Insufficient verification of authorisation when accessing subresults in thmmniii/fbs-core