CVE-2025-55070 — Missing Authentication for Critical Function in Mattermost Mattermost-server

CWE-306 — Missing Authentication for Critical Function5 documents4 sources

Severity

7.5HIGHNVD

CNA6.5

EPSS

0.1%

top 66.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedNov 14

Latest updateNov 17

Description

Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDmattermost/mattermost_server< 11.0.0

▶Gogithub.com/mattermost_mattermost-server< 11.1.0+1

▶Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20250912063506-7d8b7b5e4a60

▶CVEListV5mattermost/mattermost<11

🔴Vulnerability Details

OSV

Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server↗2025-11-17

▶

OSV

Mattermost does not enforce MFA on WebSocket connections↗2025-11-14

▶

GHSA

Mattermost does not enforce MFA on WebSocket connections↗2025-11-14

▶

CVEList

Lack of MFA enforcement in WebSocket connections↗2025-11-14

▶