Mattermost does not enforce MFA on WebSocket connections

GHSA-xpg8-8xpv-948p · CVE-2025-55070 · GO-2025-4128

Published Nov 14, 2025 · Modified Nov 17, 2025

Description

Mattermost versions < 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-55070
WEB https://github.com/mattermost/mattermost/commit/7d8b7b5e4a6076b2f7c87606883c417f9a610df5
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes