Moderate severityNVD Advisory· Published Dec 1, 2025· Updated Dec 1, 2025
Insecure Direct Object Reference in Mattermost Boards Plugin Enables Unauthorised Comment Deletion
CVE-2025-12756
Description
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | <= 8.0.0-20251013062617-7977e7e6dae3 | — |
github.com/mattermost/mattermostGo | >= 10.11.0, <= 10.11.4 | — |
github.com/mattermost/mattermostGo | >= 10.12.0, <= 10.12.1 | — |
github.com/mattermost/mattermostGo | >= 10.5.0, <= 10.5.12 | — |
github.com/mattermost/mattermostGo | >= 11.0.0, <= 11.0.2 | — |
Affected products
5- ghsa-coords4 versionspkg:golang/github.com/mattermost/mattermostpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
>= 10.11.0, <= 10.11.4+ 3 more
- (no CPE)range: >= 10.11.0, <= 10.11.4
- (no CPE)range: <= 8.0.0-20251013062617-7977e7e6dae3
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
- Range: 11.0.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-p6gj-jc38-x2m7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-12756ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.