CVE-2025-10545 in Mattermost
Summary
by MITRE • 10/16/2025
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/23/2025
The vulnerability identified as CVE-2025-10545 affects Mattermost server versions 10.5.x through 10.5.10 and 10.11.x through 10.11.2, representing a critical authorization flaw that undermines the platform's permission model for guest users. This issue stems from insufficient validation of guest user privileges when performing channel membership operations, specifically targeting the `/api/v4/channels/{channel_id}/members` endpoint. The flaw enables guest users to bypass normal access controls and add any team member to private channels they have access to, fundamentally compromising the security boundaries established by the platform's role-based access control system.
The technical implementation of this vulnerability resides in the server-side validation logic that governs user permissions during channel member addition operations. When guest users attempt to add members to channels through the affected API endpoint, the system fails to properly verify whether the guest user possesses the necessary administrative privileges or authorization to perform such actions. This validation gap occurs at the application layer where the platform should enforce strict access controls based on user roles, channel membership status, and team permissions. The flaw manifests as a missing authorization check that should verify the guest user's ability to modify channel membership, particularly when dealing with private channels where access restrictions are typically enforced.
The operational impact of this vulnerability extends beyond simple permission bypasses, creating significant security risks for organizations relying on Mattermost for collaborative communications. Guest users who should only have read-only access to specific channels can now escalate their privileges to include administrative capabilities over channel membership, potentially allowing them to grant access to other users or restrict access from legitimate team members. This vulnerability particularly affects organizations using Mattermost for secure collaboration environments where guest users are typically granted limited access to protect sensitive information. The ability to add arbitrary team members to private channels undermines the fundamental security model of private channels, which should only be accessible to authorized participants with proper clearance levels.
Organizations utilizing affected Mattermost versions should implement immediate mitigations to address this vulnerability, including applying the latest available patches from Mattermost that correct the authorization validation logic. System administrators should also consider implementing additional monitoring controls around channel membership operations to detect unauthorized changes to channel access permissions. The vulnerability aligns with CWE-285, which addresses improper authorization in software systems, and represents a specific instance of insufficient access control validation. From an attack perspective, this vulnerability maps to ATT&CK technique T1078.004, which involves valid accounts being used to bypass access restrictions, as guest users can leverage their existing credentials to perform unauthorized administrative actions. Organizations should conduct immediate security audits to identify any unauthorized channel modifications that may have occurred during the vulnerability window, particularly focusing on private channels where guest users have access. The remediation process should include verifying that guest user permissions are properly restricted to prevent escalation of privileges while maintaining the intended functionality of guest access for collaboration purposes.