CVE-2025-12756 — Incorrect Authorization in Server

CWE-863 — Incorrect Authorization5 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 87.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mattermost Server Mattermost Github.com Mattermost Mattermost +1 more

Timeline

PublishedDec 1

Latest updateDec 2

Description

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server10.5.0 — 10.5.13+3

▶CVEListV5mattermost/mattermost11.0.0 — 11.0.2+3

▶Gogithub.com/mattermost_mattermost10.11.0 — 10.11.4+6

▶Gogithub.com/mattermost_mattermost_server_v88.0.0-20251013062617-7977e7e6dae3

🔴Vulnerability Details

OSV

Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost↗2025-12-02

▶

CVEList

Insecure Direct Object Reference in Mattermost Boards Plugin Enables Unauthorised Comment Deletion↗2025-12-01

▶

GHSA

Mattermost fails to validate user permissions when deleting comments in Boards↗2025-12-01

▶

OSV

Mattermost fails to validate user permissions when deleting comments in Boards↗2025-12-01

▶