CVE-2025-10545
Guest user can add unauthorized team users to private channelsMattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint
We have discovered 74 live websites that are affected by CVE-2025-10545.
Affected Software
| Product |  Mattermost |
| Category | Message Boards |
| Vulnerable Domains | 74 live websites (19% of Mattermost install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 8 versions ( 11% of all versions) |
Common Weakness Enumeration
CWE-863 Incorrect AuthorizationDetails
- Published - Oct 16, 2025
- Updated - Oct 16, 2025
Credits
- lordwillmore (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-10545 United States | 12 websites |
 Germany | 28 websites |
 GB | 9 websites |
 France | 8 websites |
 Russia | 3 websites |
 Belgium | 2 websites |
 Czech Republic | 2 websites |
 Turkmenistan | 2 websites |
 Austria | 1 websites |
Website Distribution by TLD
Number of websites using CVE-2025-10545| .com | 17 websites |
| .org | 17 websites |
| .de | 10 websites |
| .ru | 4 websites |
| .fr | 3 websites |
| .net | 3 websites |
| .be | 2 websites |
| .co.uk | 2 websites |
| .ca | 1 websites |
| .co | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-10545
Top websites that are affected by CVE-2025-10545. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.com | Germany | ***,*** | |
| ****.*******.org | Germany | *,***,*** | |
| **.*****.re | Germany | *,***,*** | |
| ***********.ru | Russia | *,***,*** | |
| ****.*******.com | Germany | *,***,*** | |
| ****.*********.org | United States | *,***,*** | |
| *************.org | GB | *,***,*** | |
| ****************.de | Germany | *,***,*** | |
| ******.de | Germany | *,***,*** | |
| *****.*************.org | GB | *,***,*** |
FAQ
CVE-2025-10545 is Incorrect Authorization in Mattermost
A total of 74 websites have been identified as vulnerable to CVE-2025-10545, based on global website indexing conducted by WebTechSurvey.
The Mattermost is affected by the CVE-2025-10545 vulnerability.
Mattermost versions up to and including 10.11.2 are vulnerable to CVE-2025-10545.