VYPR
Moderate severityNVD Advisory· Published Dec 1, 2025· Updated Dec 1, 2025

Insecure Direct Object Reference in Mattermost Boards Plugin Enables Unauthorised Comment Deletion

CVE-2025-12756

Description

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
<= 8.0.0-20251013062617-7977e7e6dae3
github.com/mattermost/mattermostGo
>= 10.11.0, <= 10.11.4
github.com/mattermost/mattermostGo
>= 10.12.0, <= 10.12.1
github.com/mattermost/mattermostGo
>= 10.5.0, <= 10.5.12
github.com/mattermost/mattermostGo
>= 11.0.0, <= 11.0.2

Affected products

5

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.