CVE-2025-12756

Summary

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.0.0 <= 11.0.2affected
MattermostMattermost10.12.0 <= 10.12.1affected
MattermostMattermost10.11.0 <= 10.11.4affected
MattermostMattermost10.5.0 <= 10.5.12affected
MattermostMattermost11.1.0unaffected
MattermostMattermost11.0.3unaffected
MattermostMattermost10.12.2unaffected
MattermostMattermost10.11.5unaffected
MattermostMattermost10.5.13unaffected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References