CVE-2025-13870

Summary

Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.11.0 <= 10.11.4affected
MattermostMattermost10.5.0 <= 10.5.12affected
MattermostMattermost11.1.0unaffected
MattermostMattermost10.11.5unaffected
MattermostMattermost10.5.13unaffected

Weaknesses

  • CWE-306: CWE-306: Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References