Mattermost Missing Authentication for Critical Function

GHSA-7h34-9chr-58qh · CVE-2025-6226 · GO-2025-3819

Published Jul 18, 2025 · Modified Jul 29, 2025

Description

Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-6226
WEB https://github.com/mattermost/mattermost/commit/fa40a8c5d47fed5c166429a1c1bd95d62b241d89
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes