cbcvebase.
CVE-2025-9078
published 2025-09-15

CVE-2025-9078: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link…

medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing

Affected

21 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 10.10.0 < 10.10.210.10.2
github.commattermost_mattermost-server>= 10.10.0+incompatible < 10.10.2+incompatible10.10.2+incompatible
github.commattermost_mattermost-server>= 10.5.0 < 10.5.910.5.9
github.commattermost_mattermost-server>= 10.5.0+incompatible < 10.5.9+incompatible10.5.9+incompatible
github.commattermost_mattermost-server>= 10.8.0 < 10.8.410.8.4
github.commattermost_mattermost-server>= 10.8.0+incompatible < 10.8.4+incompatible10.8.4+incompatible
github.commattermost_mattermost-server>= 10.9.0 < 10.9.410.9.4
github.commattermost_mattermost-server>= 10.9.0+incompatible < 10.9.4+incompatible10.9.4+incompatible
github.commattermost_mattermost-server>= 9.11.0 < 9.11.189.11.18
github.commattermost_mattermost-server>= 9.11.0+incompatible < 9.11.18+incompatible9.11.18+incompatible
github.commattermost_mattermost_server_v8>= 0 < 8.0.0-20250718075842-cd87e5c877378.0.0-20250718075842-cd87e5c87737
mattermostmattermost10.10.0 – 10.10.1
mattermostmattermost10.5.0 – 10.5.8
mattermostmattermost10.8.0 – 10.8.3
mattermostmattermost10.9.0 – 10.9.3
mattermostmattermost9.11.0 – 9.11.17
mattermostmattermost_server>= 10.10.0 < 10.10.210.10.2
mattermostmattermost_server>= 10.5.0 < 10.5.910.5.9
mattermostmattermost_server>= 10.8.0 < 10.8.410.8.4
mattermostmattermost_server>= 10.9.0 < 10.9.410.9.4
mattermostmattermost_server>= 9.11.0 < 9.11.189.11.18