GHSA-qwwm-c582-82rx

Source

https://github.com/advisories/GHSA-qwwm-c582-82rx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-qwwm-c582-82rx/GHSA-qwwm-c582-82rx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qwwm-c582-82rx

Aliases

Published

2025-06-20T15:30:38Z

Modified

2025-07-28T20:42:05.140259Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Mattermost allows unauthorized channel member management through playbook runs

Details

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2025-06-20T15:15:20Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "github_reviewed_at": "2025-06-20T18:08:17Z",
    "severity": "MODERATE"
}

References

Affected packages

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.0-20250520060012-d0380305ef7a

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-qwwm-c582-82rx/GHSA-qwwm-c582-82rx.json"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20250520060012-d0380305ef7a

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-qwwm-c582-82rx/GHSA-qwwm-c582-82rx.json"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.5.0

Fixed

10.5.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-qwwm-c582-82rx/GHSA-qwwm-c582-82rx.json"

last_known_affected_version_range

"<= 10.5.5"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

9.11.0

Fixed

9.11.16

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-qwwm-c582-82rx/GHSA-qwwm-c582-82rx.json"

last_known_affected_version_range

"<= 9.11.15"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.8.0

Fixed

10.8.1

Affected versions

10.*

10.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-qwwm-c582-82rx/GHSA-qwwm-c582-82rx.json"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.7.0

Fixed

10.7.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-qwwm-c582-82rx/GHSA-qwwm-c582-82rx.json"

last_known_affected_version_range

"<= 10.7.2"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.6.0

Fixed

10.6.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-qwwm-c582-82rx/GHSA-qwwm-c582-82rx.json"

last_known_affected_version_range

"<= 10.6.5"