VYPR
Moderate severityNVD Advisory· Published Feb 16, 2026· Updated Feb 17, 2026

User profile update exposes password hash and MFA secrets

CVE-2025-13821

Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20251210191531-cd17b61de41b8.0.0-20251210191531-cd17b61de41b
github.com/mattermost/mattermost-serverGo
>= 11.1.0
github.com/mattermost/mattermost-serverGo
>= 10.11.0
github.com/mattermost/mattermost-serverGo
>= 11.2.0
github.com/mattermost/mattermost-serverGo
< 5.3.2-0.20251210191531-cd17b61de41b5.3.2-0.20251210191531-cd17b61de41b

Affected products

4

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.