Mattermost allows other users to determine when users had read channels via channel member objects

GHSA-9hh7-6558-qfp2 · CVE-2025-55074 · GO-2025-4133

Published Nov 18, 2025 · Modified Nov 27, 2025

Description

Mattermost versions 10.11.x <= 10.11.3, and 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-55074
WEB https://github.com/mattermost/mattermost/pull/33835
WEB https://github.com/mattermost/mattermost/pull/33905
WEB https://github.com/mattermost/mattermost/commit/98acefe911dd9de7edf47a7d825dd99f53141a52
WEB https://github.com/mattermost/mattermost/commit/ba86dfc5876b354b9d3c20ff45c08ca6f8426149
WEB https://github.com/mattermost/mattermost/commit/d72d437f1567ba0b639b6e4fd73bab06c51baab5
ADVISORY https://github.com/advisories/GHSA-9hh7-6558-qfp2
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes