CVE-2025-6226 — Missing Authentication for Critical Function in Mattermost Mattermost-server

CWE-306 — Missing Authentication for Critical Function5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 78.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedJul 18

Latest updateJul 29

Description

Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.17+3

▶Gogithub.com/mattermost_mattermost-server10.5.0 — 10.5.7+7

▶Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20250520130510-fa40a8c5d47f

▶CVEListV5mattermost/mattermost10.5.0 — 10.5.6+3

🔴Vulnerability Details

OSV

Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server↗2025-07-29

▶

CVEList

IDOR in CreatePost API allows for timeboxed message disclosure↗2025-07-18

▶

GHSA

Mattermost Missing Authentication for Critical Function↗2025-07-18

▶

OSV

Mattermost Missing Authentication for Critical Function↗2025-07-18

▶