Mattermost boards plugin fails to restrict download access to files

GHSA-f72g-52v7-mg3p · CVE-2025-9081 · GO-2025-3978

Published Sep 19, 2025 · Modified Sep 26, 2025

Description

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-9081
WEB https://github.com/mattermost/mattermost-plugin-boards/pull/114
WEB https://github.com/mattermost/mattermost-plugin-boards/commit/3f3e3becfe1d66db0d0f4fd235f04afd6e1ec40b
PACKAGE https://github.com/mattermost/mattermost-plugin-boards
WEB https://mattermost.com/security-updates
WEB https://pkg.go.dev/vuln/GO-2025-3978

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes