Vulnerability Details
Basic Information
| Title | CVE-2025-3446 |
|---|---|
| Type | cve |
| Published | 2025-05-15T11:15:48 |
| Last Seen | 2025-05-15T11:23:16 |
| CVSS Score | 4.3 (MEDIUM) |
CVSS v3 Details
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | LOW |
| Availability Impact | NONE |
CVE Information
| CVE IDs | CVE-2025-3446 |
|---|---|
| CWE | CWE-863 |
| Bulletin Family | cve |
Description
Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team.
Impact Assessment
| Base Score | 4.3 |
|---|---|
| Severity | MEDIUM |