Base Score

MEDIUM5.4

CVE-2025-41410

Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions

VectorNETWORK

Published Byresponsibledisclosure@mattermost.com

Published DateOct 16, 2025, 09:15

Affected Versions(4)

github.com/mattermost/mattermost/server/v8(Go)

Introduced0

Fixed8.0.0-20250822083415-01b95392a450

LimitN/A

github.com/mattermost/mattermost-server(Go)

Introduced10.10.0

Fixed10.10.3

LimitN/A

github.com/mattermost/mattermost-server(Go)

Introduced10.5.0

Fixed10.5.11

LimitN/A

github.com/mattermost/mattermost-server(Go)

Introduced10.11.0

Fixed10.11.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/mattermost/mattermost/server/v8(Go)	0	8.0.0-20250822083415-01b95392a450	N/A
github.com/mattermost/mattermost-server(Go)	10.10.0	10.10.3	N/A
github.com/mattermost/mattermost-server(Go)	10.5.0	10.5.11	N/A
github.com/mattermost/mattermost-server(Go)	10.11.0	10.11.3	N/A

Weakness Type (CWE):CWE-862

CVSS Metrics

Base Score

5.4

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE

References

https://mattermost.com/security-updates

Base Score

MEDIUM5.4

Weakness Type (CWE):CWE-862

CVSS Metrics

Base Score

5.4

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE