CVE-2025-9076

Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.

Published: Sep 15, 2025
Updated: Sep 16, 2025
CVE: CVE-2025-9076
GHSA: GHSA-3vcm-c42p-3hhf
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost/server/v8	-	8.0.0-20250729073403-517ae758cd02
github.com/mattermost/mattermost-server	10.10.0	10.10.2

https://mattermost.com/security-updates

Vulnerability Database

CVE-2025-9076