CVE-2025-13821 — Sensitive Information Exposure in Mattermost Mattermost-server

CWE-200 — Sensitive Information Exposure6 documents5 sources

Severity

5.7MEDIUMNVD

EPSS

0.0%

top 88.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedFeb 16

Latest updateFeb 23

Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages4 packages

▶NVDmattermost/mattermost_server10.11.0 — 10.11.10+2

▶Gogithub.com/mattermost_mattermost-server< 5.3.2-0.20251210191531-cd17b61de41b+6

▶Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20251210191531-cd17b61de41b

▶CVEListV5mattermost/mattermost11.1.0 — 11.1.2+2

🔴Vulnerability Details

OSV

Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server↗2026-02-23

▶

GHSA

Mattermost fails to sanitize sensitive data in WebSocket messages↗2026-02-16

▶

OSV

Mattermost fails to sanitize sensitive data in WebSocket messages↗2026-02-16

▶

CVEList

User profile update exposes password hash and MFA secrets↗2026-02-16

▶

🕵️Threat Intelligence

Wiz

CVE-2025-13821 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶