Moderate severityNVD Advisory· Published Nov 14, 2025· Updated Dec 1, 2025
Password hash and MFA secret returned in user email verification endpoint
CVE-2025-11794
Description
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | >= 10.11.0, < 10.11.4 | 10.11.4 |
github.com/mattermost/mattermost-serverGo | >= 10.5.0, < 10.5.12 | 10.5.12 |
github.com/mattermost/mattermost-serverGo | >= 10.12.0, < 10.12.1 | 10.12.1 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250929212932-a41db04d2746 | 8.0.0-20250929212932-a41db04d2746 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8
>= 10.11.0, < 10.11.4+ 1 more
- (no CPE)range: >= 10.11.0, < 10.11.4
- (no CPE)range: < 8.0.0-20250929212932-a41db04d2746
- Range: 10.11.0
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-mqp8-pgg5-7x7mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-11794ghsaADVISORY
- github.com/mattermost/mattermost/commit/375ce229f4923205394d8f27925372b2cbf28130ghsaWEB
- github.com/mattermost/mattermost/commit/6c288aa62bb3343183ec1d0a06360d14aa0193e9ghsaWEB
- github.com/mattermost/mattermost/commit/a41db04d2746ab549d056db4ede4cd803f64989cghsaWEB
- github.com/mattermost/mattermost/commit/b822cea06bf5683a176e2c92711241bd29cd9389ghsaWEB
- github.com/mattermost/mattermost/commit/e47349ea0fc072ee1dfb196d9bb1c8fd1a589224ghsaWEB
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.