CVE-2025-9076Missing Authorization in Mattermost Mattermost-server

CWE-862Missing AuthorizationCWE-770Allocation of Resources Without Limits or Throttling6 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 86.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedSep 15
Latest updateSep 17

Description

Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

NVDmattermost/mattermost_server10.10.010.10.2
Gogithub.com/mattermost_mattermost-server10.10.0+incompatible10.10.2+incompatible+1
Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20250729073403-517ae758cd02
CVEListV5mattermost/mattermost10.10.010.10.1

🔴Vulnerability Details

4
OSV
Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server2025-09-17
CVEList
Mattermost Server exposes sensitive user credentials during shared channel membership synchronization2025-09-15
GHSA
Mattermost Missing Authorization vulnerability2025-09-15
OSV
Mattermost Missing Authorization vulnerability2025-09-15

📋Vendor Advisories

1
Microsoft
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd) as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.2019-02-12
CVE-2025-9076 — Missing Authorization | cvebase