-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/mattermost/mattermost/server/v8 | go | >= 10.6.0-rc1, < 10.7.1 | 10.7.1 |
| github.com/mattermost/mattermost/server/v8 | go | >= 10.0.0-rc1, < 10.5.4 | 10.5.4 |
| github.com/mattermost/mattermost/server/v8 | go | >= 9.0.0-rc1, < 9.11.13 | 9.11.13 |
| github.com/mattermost/mattermost/server/v8 | go | < 8.0.0-20250414154356-6f33b721de76 | 8.0.0-20250414154356-6f33b721de76 |
GoGoMiggo AIRoot Cause AnalysisThe vulnerability (CVE-2025-3611 / GHSA-86jg-35xj-3vv5) in Mattermost allowed System Managers to view team details they should not have access to, even when their role was explicitly configured with 'No access' to Teams in the System Console. This occurred because of an improper enforcement of access control restrictions.
The root cause of this vulnerability is located in the init() function within the server/public/model/role.go file. In its pre-patch state, this function incorrectly established an implicit permission grant. Specifically, it associated the PermissionViewTeam permission with the PermissionSysconsoleReadReportingTeamStatistics permission. This meant that any user role possessing PermissionSysconsoleReadReportingTeamStatistics would also, unintentionally and implicitly, be granted PermissionViewTeam.
Consequently, when a System Manager (who might have PermissionSysconsoleReadReportingTeamStatistics for legitimate reasons like viewing team statistics) made direct API requests to team endpoints (e.g., an API call like client.getTeam() as demonstrated in the provided test file e2e-tests/.../team_access.spec.ts), the API handlers for these endpoints would perform access control checks. These checks would typically verify if the user has PermissionViewTeam for the requested team. Due to the flawed implicit grant set up by the vulnerable model.init() function, these permission checks would incorrectly pass for the System Manager, even if their explicit team access configuration was set to 'No access'. This allowed them to view team details they were not authorized to see.
The provided patch rectifies this issue by removing the erroneous implicit grant of PermissionViewTeam from PermissionSysconsoleReadReportingTeamStatistics within the model.init() function. This ensures that PermissionViewTeam is only granted based on explicit role configurations, thereby causing the API handlers for team data to correctly enforce access control.
While the model.init() function itself is executed during package initialization and not directly in the call stack of each API request during an exploit, its vulnerable pre-patch version is the source of the incorrect permission state that leads to the vulnerability. The functions that would appear in a runtime profile or stack trace during the exploitation of this vulnerability would be the various API handlers for team endpoints (e.g., functions like GetTeam, GetTeamByName likely located in the server/channels/api4 package). These API handlers become effectively vulnerable because they rely on the permission system that was misconfigured by the flawed model.init().
KEV Misses 88% of Exploited CVEs- Get the report