Vulnerability Details CVE-2025-27538
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 7.6%
CVSS Severity
CVSS v3 Score 2.2
References
Products affected by CVE-2025-27538
-
cpe:2.3:a:mattermost:mattermost_server:10.5.0
-
cpe:2.3:a:mattermost:mattermost_server:10.5.1
-
cpe:2.3:a:mattermost:mattermost_server:9.11.0
-
cpe:2.3:a:mattermost:mattermost_server:9.11.1
-
cpe:2.3:a:mattermost:mattermost_server:9.11.2
-
cpe:2.3:a:mattermost:mattermost_server:9.11.3
-
cpe:2.3:a:mattermost:mattermost_server:9.11.4
-
cpe:2.3:a:mattermost:mattermost_server:9.11.5
-
cpe:2.3:a:mattermost:mattermost_server:9.11.6
-
cpe:2.3:a:mattermost:mattermost_server:9.11.7
-
cpe:2.3:a:mattermost:mattermost_server:9.11.8
-
cpe:2.3:a:mattermost:mattermost_server:9.11.9