VYPR
Moderate severityOSV Advisory· Published Dec 24, 2025· Updated Dec 24, 2025

Unauthorized Read Access to Private Channel Posts via Mattermost Jira Plugin

CVE-2025-13767

Description

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20251121122154-b57c297c6d78.0.0-20251121122154-b57c297c6d7
github.com/mattermost/mattermost-serverGo
>= 10.11.0, < 10.11.810.11.8
github.com/mattermost/mattermost-serverGo
>= 10.12.0, < 10.12.410.12.4
github.com/mattermost/mattermost-serverGo
>= 11.0.0, < 11.0.611.0.6
github.com/mattermost/mattermost-serverGo
>= 11.1.0, < 11.1.111.1.1

Affected products

4

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.