Upstream information
Description
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpointSUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| CVSS detail | CNA (Mattermost) | National Vulnerability Database |
|---|---|---|
| Base Score | 3.1 | 4.3 |
| Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Attack Vector | Network | Network |
| Attack Complexity | High | Low |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality Impact | Low | Low |
| Integrity Impact | None | None |
| Availability Impact | None | None |
| CVSSv3 Version | 3.1 | 3.1 |
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2025-15710 |
SUSE Timeline for this CVE
CVE page created: Thu Oct 16 12:02:56 2025CVE page last modified: Sat Nov 8 22:21:31 2025