4.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-32093

GHSA ID

GHSA-322v-vh2g-qvpv

EPSS Score

0.12581%

CWE

CWE-863

Published

4/14/2025

Updated

4/23/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32093

CVE-2025-32093: Mattermost Fails to Restrict Certain Operations on System Admins

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation.

(GitHub Advisory)

4.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-32093

GHSA ID

GHSA-322v-vh2g-qvpv

EPSS Score

0.12581%

CWE

CWE-863

Published

4/14/2025

Updated

4/23/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost-server	go	>= 10.5.0, < 10.5.2	10.5.2
github.com/mattermost/mattermost-server	go	>= 10.4.0, < 10.4.4	10.4.4
github.com/mattermost/mattermost-server	go	>= 9.11.0, < 9.11.10	9.11.10
github.com/mattermost/mattermost/server/v8	go	>= 10.5.0, < 10.5.2	10.5.2
github.com/mattermost/mattermost/server/v8	go	>= 10.4.0, < 10.4.4	10.4.4
github.com/mattermost/mattermost/server/v8	go	>= 9.11.0, < 9.11.10	9.11.10
github.com/mattermost/mattermost/server/v8	go	< 8.0.0-20250227102013-aa4623a93199	8.0.0-20250227102013-aa4623a93199

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability describes an improper permission validation allowing users with "Edit Other Users" permission to modify system administrators. The provided commit aa4623a9319943d9f54383b22b55e7d06a324e20 directly addresses this by modifying the SessionHasPermissionToUser function in server/channels/app/authorization.go. The patch introduces logic to explicitly check if the target user (userID) is a system admin. If the target is a system admin, the function now returns false unless the session holder has model.PermissionManageSystem or is unrestricted. This directly fixes the described flaw where a user with only model.PermissionEditOtherUsers could previously modify a system admin. Therefore, app.SessionHasPermissionToUser is the function where the improper permission validation occurred.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions **.*.x <= **.*.*, **.*.x <= **.*.*, *.**.x <= *.**.* **il to r*stri*t **rt*in op*r*tions on syst*m **mins to only ot**r syst*m **mins, w*i** *llows **l***t** *r*nul*r **ministr*tion us*rs wit* t** "**it Ot**r Us*rs" p*rmission to

Reasoning

T** vuln*r**ility **s*ri**s *n improp*r p*rmission v*li**tion *llowin* us*rs wit* "**it Ot**r Us*rs" p*rmission to mo*i*y syst*m **ministr*tors. T** provi*** *ommit `****************************************` *ir**tly ***r*ss*s t*is *y mo*i*yin* t** `

4.7

Basic Information

Concerned about an active attack path?

CVE-2025-32093: Mattermost Fails to Restrict Certain Operations on System Admins

4.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI