CVE-2025-6226

Summary

Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.5.0 <= 10.5.6affected
MattermostMattermost10.8.0 <= 10.8.1affected
MattermostMattermost10.7.0 <= 10.7.3affected
MattermostMattermost9.11.0 <= 9.11.16affected
MattermostMattermost10.9.0unaffected
MattermostMattermost10.5.8unaffected
MattermostMattermost10.8.2unaffected
MattermostMattermost10.7.4unaffected
MattermostMattermost9.11.17unaffected

Weaknesses

  • CWE-306: CWE-306: Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References