CVE-2025-22449

LOW EPSS 18.3%

Published Jan 9, 20251y ago · Modified Jun 17, 20261w ago

3.8 CVSS 3.1

Low

Published Jan 9, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

CVSS Details

Base Score

3.8

Exploitability

1.2

Impact

2.5

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

18.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 1

Vendor	Product	Version	Range
mattermost	mattermost_server	*	≥9.11.0 – <9.11.6

References 1

mattermost.com https://mattermost.com/security-updates

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.