Description

Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.

INFO

Published Date :

2025-04-16T07:45:01.229Z

Last Modified :

2025-04-16T14:34:29.842Z

Source :

Mattermost
AFFECTED PRODUCTS

The following products are affected by CVE-2025-27538 vulnerability.

Vendors Products
Mattermost
  • Mattermost Server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-27538.

URL Resource
https://mattermost.com/security-updates cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact