CVE-2025-41423

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.
References
Configurations

No configuration.

History

24 Apr 2025, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-04-24 07:15

Updated : 2025-04-24 07:15


NVD link : CVE-2025-41423

Mitre link : CVE-2025-41423

CVE.ORG link : CVE-2025-41423


JSON object : View

Products Affected

No product.

CWE
CWE-863

Incorrect Authorization