Nixpkgs security tracker
NIXPKGS-2026-0263
GitHub issue
published on
Permalink
CVE-2025-14573
3.8 LOW
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): HIGH
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
ignored
4 packages
- mattermost-desktop
- python312Packages.mattermostdriver
- python313Packages.mattermostdriver
- python314Packages.mattermostdriver
-
@LeSuisse
deleted
maintainer.delete
5 maintainers
- @fsagbuya
- @Kranzes
- @numinit
- @mgdelacroix
- @ryantm
- @LeSuisse accepted
- @LeSuisse published on GitHub
Team Admin Bypass of Invite Permissions via allow_open_invite Field
Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561
References
-
MMSA-2025-00561 vendor-advisory
-
MMSA-2025-00561 vendor-advisory
Affected products
Mattermost
- ==11.3.0
- =<10.11.9
- ==10.11.10
Matching in nixpkgs
pkgs.mattermost
Mattermost is an open source platform for secure collaboration across the entire software development lifecycle
Ignored packages (4)
pkgs.mattermost-desktop
Mattermost Desktop client
pkgs.python312Packages.mattermostdriver
Python Mattermost Driver
pkgs.python313Packages.mattermostdriver
Python Mattermost Driver
pkgs.python314Packages.mattermostdriver
Python Mattermost Driver
Package maintainers
Ignored maintainers (5)
-
@fsagbuya Florian Agbuya <fa@m-labs.ph>
-
@Kranzes Ilan Joselevich <personal@ilanjoselevich.com>
-
@ryantm Ryan Mulligan <ryan@ryantm.com>
-
@numinit Morgan Jones <me+nixpkgs@numin.it>
-
@mgdelacroix Miguel de la Cruz <mgdelacroix@gmail.com>