CVE-2025-6227Insufficiently Protected Credentials in Mattermost Mattermost-server

CWE-522Insufficiently Protected Credentials5 documents4 sources
Severity
3.1LOWNVD
CNA2.2
EPSS
0.0%
top 86.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedJul 18
Latest updateJul 29

Description

Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server9.11.09.11.17+1
Gogithub.com/mattermost_mattermost-server9.11.0+incompatible9.11.17+incompatible+3
Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20250612074655-8f8612c63783
CVEListV5mattermost/mattermost10.5.010.5.7+1

🔴Vulnerability Details

4
OSV
Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server2025-07-29
CVEList
Invite token is used as part of the secure communication2025-07-18
OSV
Mattermost has Insufficiently Protected Credentials2025-07-18
GHSA
Mattermost has Insufficiently Protected Credentials2025-07-18
CVE-2025-6227 — Insufficiently Protected Credentials | cvebase