Moderate severityNVD Advisory· Published Dec 1, 2025· Updated Dec 1, 2025
Insecure Direct Object Reference in Mattermost Boards Plugin Enables Unauthorised Comment Deletion
CVE-2025-12756
Description
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | <= 8.0.0-20251013062617-7977e7e6dae3 | — |
github.com/mattermost/mattermostGo | >= 10.11.0, <= 10.11.4 | — |
github.com/mattermost/mattermostGo | >= 10.12.0, <= 10.12.1 | — |
github.com/mattermost/mattermostGo | >= 10.5.0, <= 10.5.12 | — |
github.com/mattermost/mattermostGo | >= 11.0.0, <= 11.0.2 | — |
Affected products
1- Range: 11.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-p6gj-jc38-x2m7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-12756ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.