Missing Authentication for Critical Function

CVE-2025-27538

Low

2.7/10

Summary

Mattermost versions 9.11.x through 9.11.9, 10.5.x through 10.5.1 fails to enforce MFA checks in PUT "/api/v4/users/user-id/mfa" when the requesting user differs from the target user ID, which allows users with "edit_other_users" permission to activate or deactivate MFA for other users, even if those users have not set up MFA.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-306 - Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

Advisory
Advisory
Pull request

Advisory Timeline

Published Apr 16, 2025

Missing Authentication for Critical Function

CVE-2025-27538

Summary

CWE-306 - Missing Authentication for Critical Function

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS