CVE-2025-32093 MEDIUM

CVE-2025-32093: Syatem admin profile modification by delegated granular administration role

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published April 14, 2025
Last update April 14, 2025
View on NVD All CVEs

CVSS base score

4.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation.

Key dates

02Disclosure timeline

April 14, 2025 CVE published
April 14, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-6383 Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation CVE-2026-32108 Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access CVE-2026-1553 Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006 CVE-2025-48445 Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066 CVE-2026-44654 LibreChat: Shared-agent editor can globally delete owner's file records — breaks owner's other private agents