CVE-2025-6226 – github.com/mattermost/mattermost-server

Package

Manager: go
Name: github.com/mattermost/mattermost-server
Vulnerable Version: >=10.5.0 <10.5.7 || >=10.8.0 <10.8.2 || >=10.7.0 <10.7.4 || >=9.11.0 <9.11.17

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00036 pctl0.09113

Details

Mattermost Missing Authentication for Critical Function Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.

Metadata

Created: 2025-07-18T09:30:32Z
Modified: 2025-07-21T18:32:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-7h34-9chr-58qh/GHSA-7h34-9chr-58qh.json
CWE IDs: ["CWE-306"]
Alternative ID: GHSA-7h34-9chr-58qh
Finding: F006
Auto approve: 1