VYPR
Moderate severityNVD Advisory· Published Sep 15, 2025· Updated Sep 15, 2025

Mattermost Server exposes sensitive user credentials during shared channel membership synchronization

CVE-2025-9076

Description

Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20250729073403-517ae758cd028.0.0-20250729073403-517ae758cd02
github.com/mattermost/mattermost-serverGo
>= 10.10.0, < 10.10.210.10.2

Affected products

6

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.