CVE-2025-3913: 
vulnerability analysis and mitigation

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, and 9.11.x <= 9.11.12 contain a permission validation vulnerability that was disclosed on May 29, 2025. The vulnerability is identified as CVE-2025-3913 and has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) (NVD, Wiz).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863) where the application fails to properly validate permissions when changing team privacy settings. The vulnerability has a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed (NVD, AttackerKB).

The vulnerability allows team administrators without the 'invite user' permission to access and modify team invite IDs through the /api/v4/teams/:teamId/privacy endpoint. This could lead to unauthorized access to team privacy settings and potential information disclosure (Wiz).

Users should upgrade to the latest version of Mattermost that contains the fix for this vulnerability. The fixed versions are available for all affected version lines (Mattermost Security).