Mattermost allows system administrators to access password hashes and MFA secrets

GHSA-mqp8-pgg5-7x7m · CVE-2025-11794 · GO-2025-4130

Published Nov 14, 2025 · Modified Nov 18, 2025

Description

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-11794
WEB https://github.com/mattermost/mattermost/commit/375ce229f4923205394d8f27925372b2cbf28130
WEB https://github.com/mattermost/mattermost/commit/6c288aa62bb3343183ec1d0a06360d14aa0193e9
WEB https://github.com/mattermost/mattermost/commit/a41db04d2746ab549d056db4ede4cd803f64989c
WEB https://github.com/mattermost/mattermost/commit/b822cea06bf5683a176e2c92711241bd29cd9389
WEB https://github.com/mattermost/mattermost/commit/e47349ea0fc072ee1dfb196d9bb1c8fd1a589224
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes