CVE-2025-55074Improper Validation of Generative AI Output in Mattermost Mattermost-server

CWE-1426Improper Validation of Generative AI OutputCWE-276Incorrect Default Permissions5 documents4 sources
Severity
3.5LOWNVD
CNA3.0
EPSS
0.0%
top 94.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedNov 18
Latest updateNov 25

Description

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server10.5.010.5.12+1
Gogithub.com/mattermost_mattermost-server10.5.0+incompatible10.5.12+incompatible+3
Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20250905150616-ba86dfc5876b6
CVEListV5mattermost/mattermost10.11.010.11.3+1

🔴Vulnerability Details

4
OSV
Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server2025-11-25
GHSA
Mattermost allows other users to determine when users had read channels via channel member objects2025-11-18
CVEList
Channel member objects leak read status2025-11-18
OSV
Mattermost allows other users to determine when users had read channels via channel member objects2025-11-18
CVE-2025-55074 — LOW severity | cvebase