Vulnerability DatabaseCVE-2025-6226
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-6226
July 18, 2025
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.
Affected Packages
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.5.0 <v10.5.7
Fix Suggestion:
Update to version v10.5.7
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.5.0+incompatible <v10.5.7
Fix Suggestion:
Update to version v10.5.7
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.7.0 <v10.7.4
Fix Suggestion:
Update to version v10.7.4
github.com/mattermost/mattermost/server/v8 (GO):
Affected version(s) >=v8.0.0-20230429093631-aac4f2337933 <v8.0.0-20250520130510-fa40a8c5d47f
Fix Suggestion:
Update to version v8.0.0-20250520130510-fa40a8c5d47f
github.com/mattermost/mattermost (GO):
Affected version(s) >=v9.11.0+incompatible <v9.11.17
Fix Suggestion:
Update to version v9.11.17
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.8.0 <v10.8.2
Fix Suggestion:
Update to version v10.8.2
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.7.0+incompatible <v10.7.4
Fix Suggestion:
Update to version v10.7.4
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v9.11.0 <v9.11.17
Fix Suggestion:
Update to version v9.11.17
github.com/mattermost/mattermost (GO):
Affected version(s) =v10.8.0+incompatible <v10.8.2
Fix Suggestion:
Update to version v10.8.2
Related Resources (4)
https://mattermost.com/security-updates
https://github.com/mattermost/mattermost/commit/fa40a8c5d47fed5c166429a1c1bd95d62b241d89
https://github.com/mattermost/mattermost
https://nvd.nist.gov/vuln/detail/CVE-2025-6226
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Missing Authentication for Critical Function
CWE-306
EPSS
Base Score:
0.05