CVE-2025-11794 Password hash and MFA secret returned in user email verification endpoint
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...