Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/mattermost/mattermost-server(Go) | 0 | 0.0.0-20250520060012-d0380305ef7a | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 0 | 8.0.0-20250520060012-d0380305ef7a | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 10.5.0 | 10.5.6 | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 9.11.0 | 9.11.16 | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 10.8.0 | 10.8.1 | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 10.7.0 | 10.7.3 | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 10.6.0 | 10.6.6 | N/A |
CVSS Metrics
