CVE-2025-9076

Summary

Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.10.0 <= 10.10.1affected
MattermostMattermost10.11.0unaffected
MattermostMattermost10.10.2unaffected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References