CVE-2025-3228 MEDIUM

CVE-2025-3228: Unauthorized Guest user access to Playbook

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published June 20, 2025
Last update June 23, 2025
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.

Key dates

02Disclosure timeline

June 20, 2025 CVE published
June 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read CVE-2023-3582 Lack of channel membership check when linking a board to a channel CVE-2026-31805 Discourse has a poll authorization bypass via post_id array parameter CVE-2024-43250 WordPress Bit Form Pro plugin <= 2.6.4 - Authenticated Plugin Settings Change vulnerability CVE-2026-25127 OpenEMR has Broken Access Control on Care Coordination Module