Low severityNVD Advisory· Published Nov 18, 2025· Updated Nov 18, 2025
Channel member objects leak read status
CVE-2025-55074
Description
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | >= 10.11.0, < 10.11.4 | 10.11.4 |
github.com/mattermost/mattermost-serverGo | >= 10.5.0, < 10.5.12 | 10.5.12 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250905150616-ba86dfc5876b6 | 8.0.0-20250905150616-ba86dfc5876b6 |
Affected products
5- ghsa-coords4 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
>= 10.11.0, < 10.11.4+ 3 more
- (no CPE)range: >= 10.11.0, < 10.11.4
- (no CPE)range: < 8.0.0-20250905150616-ba86dfc5876b6
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
- Range: 10.11.0
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-9hh7-6558-qfp2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-55074ghsaADVISORY
- github.com/mattermost/mattermost/commit/98acefe911dd9de7edf47a7d825dd99f53141a52ghsaWEB
- github.com/mattermost/mattermost/commit/ba86dfc5876b354b9d3c20ff45c08ca6f8426149ghsaWEB
- github.com/mattermost/mattermost/commit/d72d437f1567ba0b639b6e4fd73bab06c51baab5ghsaWEB
- github.com/mattermost/mattermost/pull/33835ghsaWEB
- github.com/mattermost/mattermost/pull/33905ghsaWEB
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.