5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-3913

GHSA ID

GHSA-4mmr-2w8p-whcr

EPSS Score

0.14113%

CWE

CWE-863

Published

5/29/2025

Updated

5/29/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-3913

CVE-2025-3913: Mattermost improperly allows team administrators to modify team invites

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-3913

GHSA ID

GHSA-4mmr-2w8p-whcr

EPSS Score

0.14113%

CWE

CWE-863

Published

5/29/2025

Updated

5/29/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost/server/v8	go	>= 10.7.0-rc1, < 10.7.1	10.7.1
github.com/mattermost/mattermost/server/v8	go	>= 10.6.0-rc1, < 10.6.3	10.6.3
github.com/mattermost/mattermost/server/v8	go	>= 10.5.0-rc1, < 10.5.4	10.5.4
github.com/mattermost/mattermost/server/v8	go	>= 9.0.0-rc1, < 9.11.13	9.11.13
github.com/mattermost/mattermost/server/v8	go	< 8.0.0-20250412152950-02c76784380a	8.0.0-20250412152950-02c76784380a

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CVE-2025-3913) description states that Mattermost failed to properly validate permissions when changing team privacy settings, specifically allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. The provided commit 02c76784380acb6802601bd24c205553b9a5a1be directly addresses this issue. The diff for server/channels/api4/team.go shows that a permission check for model.PermissionInviteUser was added to the updateTeamPrivacy function. This function is the handler for the aforementioned API endpoint. The absence of this check before the patch is the root cause of the vulnerability, making updateTeamPrivacy the vulnerable function. The exploit would involve a team administrator, who lacks the 'invite_user' permission, making a request to this endpoint to change team privacy in a way that regenerates the invite ID, thereby bypassing the intended permission model.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost v*rsions **.*.x <= **.*.*, **.*.x <= **.*.*, **.*.x <= **.*.*, *.**.x <= *.**.** **il to prop*rly v*li**t* p*rmissions w**n ***n*in* t**m priv**y s*ttin*s, *llowin* t**m **ministr*tors wit*out t** 'invit* us*r' p*rmission to ****ss *n* mo*

Reasoning

T** vuln*r**ility (*V*-****-****) **s*ription st*t*s t**t M*tt*rmost **il** to prop*rly v*li**t* p*rmissions w**n ***n*in* t**m priv**y s*ttin*s, sp**i*i**lly *llowin* t**m **ministr*tors wit*out t** 'invit* us*r' p*rmission to ****ss *n* mo*i*y t**m

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-3913: Mattermost improperly allows team administrators to modify team invites

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI