CVE-2025-3228: 
vulnerability analysis and mitigation

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, and 10.6.x <= 10.6.5 contain a vulnerability related to improper retrieval of requestorInfo from playbooks handler for guest users. The vulnerability was disclosed on June 20, 2025, and has been assigned identifier CVE-2025-3228 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs low privileges, and requires no user interaction. The vulnerability is classified as CWE-863 (Incorrect Authorization) (NVD).

When exploited, this vulnerability allows an attacker to gain unauthorized access to the playbook run functionality. The impact is primarily limited to confidentiality, with no direct impact on integrity or availability of the system (NVD).

Users should upgrade to the latest version of Mattermost that addresses this vulnerability. The issue has been fixed in versions newer than 10.5.5, 9.11.15, 10.8.0, 10.7.2, and 10.6.5 respectively (Mattermost Security).