Mattermost fails to sanitize sensitive data in WebSocket messages

GHSA-pp9j-pf5c-659x · CVE-2025-13821 · GO-2026-4524

Published Feb 16, 2026 · Modified Apr 1, 2026

Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-13821
WEB https://github.com/mattermost/mattermost/commit/cd17b61de41bf0a49b524bb91ce0bbe859e5a100
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes