Moderate severityOSV Advisory· Published Dec 24, 2025· Updated Dec 24, 2025
Unauthorized Read Access to Private Channel Posts via Mattermost Jira Plugin
CVE-2025-13767
Description
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20251121122154-b57c297c6d7 | 8.0.0-20251121122154-b57c297c6d7 |
github.com/mattermost/mattermost-serverGo | >= 10.11.0, < 10.11.8 | 10.11.8 |
github.com/mattermost/mattermost-serverGo | >= 10.12.0, < 10.12.4 | 10.12.4 |
github.com/mattermost/mattermost-serverGo | >= 11.0.0, < 11.0.6 | 11.0.6 |
github.com/mattermost/mattermost-serverGo | >= 11.1.0, < 11.1.1 | 11.1.1 |
Affected products
4- Range: @mattermost/client@10.11.0, @mattermost/client@10.12.0, @mattermost/client@11.0.4, …
- ghsa-coords3 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 10.11.0, < 10.11.8+ 2 more
- (no CPE)range: >= 10.11.0, < 10.11.8
- (no CPE)range: < 8.0.0-20251121122154-b57c297c6d7
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-fmqf-pmcm-8cx9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13767ghsaADVISORY
- github.com/mattermost/mattermost/commit/b57c297c6d7ae6812d85e32a625806ac9555deeeghsaWEB
- github.com/mattermost/mattermost/pull/34551ghsaWEB
- mattermost.com/security-updatesghsaWEB
- pkg.go.dev/vuln/GO-2026-4259ghsaWEB
News mentions
0No linked articles in our index yet.