Vulnerability DatabaseCVE-2025-22449

CVE-2025-22449:
Chainguard vulnerability analysis and mitigation

Overview

Mattermost versions 9.11.x <= 9.11.5 contain a vulnerability where team admins can bypass invite permissions. The vulnerability was discovered and disclosed on January 9, 2025, affecting the access control functionality in Mattermost's team management system (NVD, Red Hat).

Technical details

The vulnerability is classified as an Incorrect Authorization issue (CWE-863). It allows team admins to circumvent invite permissions by updating the 'allowopeninvite' field to make their team public, despite not having the proper permissions to invite users. The vulnerability has been assigned a CVSS v3.1 base score of 3.8 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N (NVD).

Impact

The vulnerability allows team admins to bypass intended access restrictions and invite users to their team without proper authorization. This could lead to unauthorized access to team resources and potential violation of organizational access control policies (Red Hat).

Mitigation and workarounds

Organizations using affected versions of Mattermost (9.11.x <= 9.11.5) should upgrade to version 9.11.6 or later which contains the security fix (Mattermost Security).

Additional resources

Source: This report was generated using AI

Related Chainguard vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-62593	CRITICAL	9.4	Chainguard	ray	No	Yes	Nov 26, 2025
CVE-2025-66031	HIGH	8.7	JavaScript	opensearch-dashboards-2-fips	No	Yes	Nov 26, 2025
CVE-2025-66201	HIGH	8.6	Chainguard	librechat	No	Yes	Nov 29, 2025
CVE-2025-66030	MEDIUM	6.3	JavaScript	kubeflow-pipelines	No	Yes	Nov 26, 2025
CVE-2025-3261	MEDIUM	6.2	Java	thingsboard	No	Yes	Nov 27, 2025