VYPR
Get started
← All advisories
Moderate severityOSV Advisory· Published Dec 24, 2025· Updated Dec 24, 2025

Unauthorized Read Access to Private Channel Posts via Mattermost Jira Plugin

CVE-2025-13767

Description

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20251121122154-b57c297c6d78.0.0-20251121122154-b57c297c6d7
github.com/mattermost/mattermost-serverGo
>= 10.11.0, < 10.11.810.11.8
github.com/mattermost/mattermost-serverGo
>= 10.12.0, < 10.12.410.12.4
github.com/mattermost/mattermost-serverGo
>= 11.0.0, < 11.0.611.0.6
github.com/mattermost/mattermost-serverGo
>= 11.1.0, < 11.1.111.1.1

Affected products

1

Patches

1
b57c297c6d7a

Update Jira prepackaged (#34551)

https://github.com/mattermost/mattermostMaria A NunezNov 21, 2025via ghsa
commit
1 file changed · +1 1
  • server/Makefile+1 1 modified
    @@ -155,7 +155,7 @@ PLUGIN_PACKAGES ?= $(PLUGIN_PACKAGES:)
 PLUGIN_PACKAGES += mattermost-plugin-calls-v1.11.0
 PLUGIN_PACKAGES += mattermost-plugin-github-v2.5.0
 PLUGIN_PACKAGES += mattermost-plugin-gitlab-v1.11.0
-PLUGIN_PACKAGES += mattermost-plugin-jira-v4.4.0
+PLUGIN_PACKAGES += mattermost-plugin-jira-v4.4.1
 PLUGIN_PACKAGES += mattermost-plugin-playbooks-v2.6.0
 PLUGIN_PACKAGES += mattermost-plugin-servicenow-v2.4.0
 PLUGIN_PACKAGES += mattermost-plugin-zoom-v1.10.0

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.