CVE-2025-3227: Mattermost allows unauthorized channel member management through playbook runs

June 20, 2025

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the ‘Manage Channel Members’ permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

References

github.com/advisories/GHSA-qwwm-c582-82rx
github.com/mattermost/mattermost
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-3227

Code Behaviors & Features

Detect and mitigate CVE-2025-3227 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →