CVE-2025-6226

Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.

Published: Jul 18, 2025
Updated: Aug 11, 2025
CVE: CVE-2025-6226
GHSA: GHSA-7h34-9chr-58qh
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-306

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost-server	10.5.0	10.5.7
github.com/mattermost/mattermost-server	10.8.0	10.8.2
github.com/mattermost/mattermost-server	10.7.0	10.7.4
github.com/mattermost/mattermost-server	9.11.0	9.11.17
github.com/mattermost/mattermost/server/v8	-	8.0.0-20250520130510-fa40a8c5d47f

https://github.com/mattermost/mattermost/commit/fa40a8c5d47fed5c166429a1c1bd95d62b241d89
https://mattermost.com/security-updates

Vulnerability Database

CVE-2025-6226