Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/mattermost/mattermost/server/v8(Go) | 0 | 8.0.0-20250414112942-77892234944b | N/A |
| github.com/mattermost/mattermost-server(Go) | 10.7.0 | 10.7.2 | N/A |
| github.com/mattermost/mattermost-server(Go) | 10.6.0 | 10.6.4 | N/A |
| github.com/mattermost/mattermost-server(Go) | 10.5.0 | 10.5.5 | N/A |
| github.com/mattermost/mattermost-server(Go) | 9.11.0 | 9.11.14 | N/A |
CVSS Metrics
