We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-27538

MFA Enforcement Bypass Allows Unauthorized Removal of MFA for Other Users



Description

Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.

Reserved 2025-04-08 | Published 2025-04-16 | Updated 2025-04-16 | Assigner Mattermost


LOW: 2.2CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-306: Missing Authentication for Critical Function

Product status

Default status
unaffected

10.5.0
affected

9.11.0
affected

10.6.0
unaffected

10.5.2
unaffected

9.11.10
unaffected

Credits

0x7oda7123 finder

References

mattermost.com/security-updates

cve.org (CVE-2025-27538)

nvd.nist.gov (CVE-2025-27538)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-27538

Support options

Helpdesk Chat, Email, Knowledgebase