CVE-2025-3611: 
vulnerability analysis and mitigation

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, and 9.11.x <= 9.11.12 contain an access control vulnerability that affects System Manager roles. The vulnerability was disclosed on May 30, 2025, and assigned identifier CVE-2025-3611. The issue impacts multiple versions of the Mattermost collaboration platform (NVD).

The vulnerability stems from improper enforcement of access control restrictions for System Manager roles. Even when explicitly configured with 'No access' to Teams in the System Console, authenticated users with System Manager privileges can bypass these restrictions through direct API requests to team endpoints. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating a network-accessible vulnerability requiring low privileges but high attack complexity (NVD, Wiz).

The vulnerability allows authenticated System Manager users to view team details they should not have access to, potentially leading to unauthorized information disclosure. The impact is limited to confidentiality breaches with no direct effect on system integrity or availability (Wiz).

Users should upgrade to versions newer than 10.7.0 for the 10.7.x series, 10.5.3 for the 10.5.x series, or 9.11.12 for the 9.11.x series. The vulnerability has been addressed in subsequent releases (Mattermost Security).