CVE-2025-46702 MEDIUM

CVE-2025-46702: Mattermost Playbooks allows privilege escalation through improper access control in playbook run participant management

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published June 30, 2025
Last update June 30, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized access to sensitive channel content and allow guest users to gain channel management privileges.

Key dates

02Disclosure timeline

June 30, 2025 CVE published
June 30, 2025 Record updated