3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-10545

GHSA ID

GHSA-424h-xj87-m937

EPSS Score

0.04067%

CWE

CWE-863

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-10545

CVE-2025-10545: Mattermost has an Incorrect Authorization vulnerability

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the /api/v4/channels/{channel_id}/members endpoint

(GitHub Advisory)

3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-10545

GHSA ID

GHSA-424h-xj87-m937

EPSS Score

0.04067%

CWE

CWE-863

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost/server/v8	go	< 8.0.0-20250820115038-ff30b84049f0	8.0.0-20250820115038-ff30b84049f0
github.com/mattermost/mattermost-server	go	>= 10.5.0, < 10.5.11	10.5.11
github.com/mattermost/mattermost-server	go	>= 10.11.0, < 10.11.3	10.11.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description clearly points to an incorrect authorization issue in the /api/v4/channels/{channel_id}/members endpoint, allowing guest users to add members they shouldn't be able to. Analyzing the provided commits, specifically fb9c583f5e466a566a5122154ef337bbf2238902 and ff30b84049f0193f0570d30e46cffc3602298c67, reveals changes in the server/channels/api4/channel.go file within the addChannelMember function. The patch introduces a crucial check using c.App.UserCanSeeOtherUser for each user being added by a guest. The absence of this check in the vulnerable versions is the root cause of the issue. Therefore, the addChannelMember function is the exact location of the vulnerability, and it would be the primary function appearing in a runtime profile during exploitation of this flaw.

Vulnerable functions

addChannelMember

server/channels/api4/channel.go

The vulnerability lies in the `addChannelMember` function, which handles POST requests to the `/api/v4/channels/{channel_id}/members` endpoint. Before the patch, the function only checked if a guest user had `PermissionReadChannel` for the specified channel. It failed to verify if the guest user had permission to see the users they were attempting to add to the channel. This allowed a guest user to add any member of the team to a private channel they were in, even if they were not supposed to know about or interact with that team member. The patch rectifies this by adding a loop that iterates through the users being added and calls `c.App.UserCanSeeOtherUser` to ensure the guest user has visibility of each user.

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions **.*.x <= **.*.**, **.**.x <= **.**.* **il to prop*rly v*li**t* *u*st us*r p*rmissions w**n ***in* ***nn*l m*m**rs w*i** *llows *u*st us*rs to *** *ny t**m m*m**rs to t**ir priv*t* ***nn*ls vi* t** `/*pi/v*/***nn*ls/{***nn*l_i*}/m

Reasoning

T** vuln*r**ility **s*ription *l**rly points to *n in*orr**t *ut*oriz*tion issu* in t** `/*pi/v*/***nn*ls/{***nn*l_i*}/m*m**rs` *n*point, *llowin* *u*st us*rs to *** m*m**rs t**y s*oul*n't ** **l* to. *n*lyzin* t** provi*** *ommits, sp**i*i**lly `***

3.1

Basic Information

Concerned about an active attack path?

CVE-2025-10545: Mattermost has an Incorrect Authorization vulnerability

3.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI