CVE-2025-41423 LOW

CVE-2025-41423: Unauthorized Playbooks Post Deletion in Mattermost Playbooks Plugin

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published April 24, 2025
Last update April 24, 2025

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.

Key dates

02Disclosure timeline

April 24, 2025 CVE published
April 24, 2025 Record updated