CVE-2025-6226
published 2025-07-18CVE-2025-6226: Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by…
medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 10.5.0 < 10.5.7 | 10.5.7 |
| github.com | mattermost_mattermost-server | >= 10.5.0+incompatible < 10.5.7+incompatible | 10.5.7+incompatible |
| github.com | mattermost_mattermost-server | >= 10.7.0 < 10.7.4 | 10.7.4 |
| github.com | mattermost_mattermost-server | >= 10.7.0+incompatible < 10.7.4+incompatible | 10.7.4+incompatible |
| github.com | mattermost_mattermost-server | >= 10.8.0 < 10.8.2 | 10.8.2 |
| github.com | mattermost_mattermost-server | >= 10.8.0+incompatible < 10.8.2+incompatible | 10.8.2+incompatible |
| github.com | mattermost_mattermost-server | >= 9.11.0 < 9.11.17 | 9.11.17 |
| github.com | mattermost_mattermost-server | >= 9.11.0+incompatible < 9.11.17+incompatible | 9.11.17+incompatible |
| github.com | mattermost_mattermost_server_v8 | >= 0 < 8.0.0-20250520130510-fa40a8c5d47f | 8.0.0-20250520130510-fa40a8c5d47f |
| mattermost | mattermost | 10.5.0 – 10.5.6 | — |
| mattermost | mattermost | 10.7.0 – 10.7.3 | — |
| mattermost | mattermost | 10.8.0 – 10.8.1 | — |
| mattermost | mattermost | 9.11.0 – 9.11.16 | — |
| mattermost | mattermost_server | >= 10.5.0 < 10.5.7 | 10.5.7 |
| mattermost | mattermost_server | >= 10.7.0 < 10.7.4 | 10.7.4 |
| mattermost | mattermost_server | >= 10.8.0 < 10.8.2 | 10.8.2 |
| mattermost | mattermost_server | >= 9.11.0 < 9.11.17 | 9.11.17 |