Mattermost Fails to Properly Validate Team Role Modification

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.

References

Published by the National Vulnerability Database Aug 21, 2025

Published to the GitHub Advisory Database Aug 21, 2025

Reviewed Aug 21, 2025

Last updated Aug 29, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

Incorrect Authorization

CVE ID

GHSA ID

Source code

Uh oh!