CVE-2025-13821 User profile update exposes password hash and MFA secrets

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID:...

CVE-2025-2570

Mattermost CVE-2025-2570 affects Mattermost Server versions 10.5.x ≤ 10.5.3 and 9.11.x ≤ 9.11.11. Root cause: the system fails to enforce RestrictSystemAdmin when a user lacks access to ExperimentalSettings, allowing a System Manager to access ExperimentSettings via the System Console. Impact: ex...

GO-2025-3534 Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server

Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server...

BIT-MATTERMOST-2024-24988

Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server...