CVE-2025-6226 IDOR in CreatePost API allows for timeboxed message disclosure

Mattermost versions 10.5.x = 10.5.6, 10.8.x = 10.8.1, 10.7.x = 10.7.3, 9.11.x = 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of...

CVE-2025-6226

Mattermost Server contains an IDOR-like flaw (CVE-2025-6226) where authentication is not verified when retrieving cached posts by PendingPostID. Affected versions include 9.11.x <= 9.11.16, 10.5.x <= 10.5.6, 10.7.x <= 10.7.3, and 10.8.x

CVE-2025-6226 IDOR in CreatePost API allows for timeboxed message disclosure

Mattermost versions 10.5.x = 10.5.6, 10.8.x = 10.8.1, 10.7.x = 10.7.3, 9.11.x = 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of...

CVE-2024-39361 Creating posts with user-defined IDs permitted in CreatePost API

Mattermost versions 9.8.0, 9.7.x = 9.7.4, 9.6.x = 9.6.2 and 9.5.x = 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken...

CVE-2024-39361

CVE-2024-39361 affects Mattermost 9.8.0, 9.7.x up to 9.7.4, 9.6.x up to 9.6.2, and 9.5.x up to 9.5.5. The issue is that the CreatePost API does not prevent users from supplying a RemoteId for posts, allowing an attacker to specify both a remoteId and the post ID and thereby create posts with user...

Information Disclosure

Mattermost is vulnerable to Information Disclosure. The vulnerability is due to a flaw that allows an attacker to request a preview of an existing message while creating a new message using the createPost API call. The attacker can exploit this vulnerability to disclose contents of the linked...

GHSA-3WQ5-3F56-V5XC Mattermost vulnerable to information disclosure

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message...

CVE-2023-1777 Information disclosure in linked message previews

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message...