Moderate severityNVD Advisory· Published Sep 15, 2025· Updated Sep 15, 2025
Mattermost Server exposes sensitive user credentials during shared channel membership synchronization
CVE-2025-9076
Description
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250729073403-517ae758cd02 | 8.0.0-20250729073403-517ae758cd02 |
github.com/mattermost/mattermost-serverGo | >= 10.10.0, < 10.10.2 | 10.10.2 |
Affected products
6- ghsa-coords5 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
>= 10.10.0, < 10.10.2+ 4 more
- (no CPE)range: >= 10.10.0, < 10.10.2
- (no CPE)range: < 8.0.0-20250729073403-517ae758cd02
- (no CPE)range: < 0.0.20250918T182144-150000.1.107.1
- (no CPE)range: < 0.0.20250917T170349-1.1
- (no CPE)range: < 0.0.20250918T182144-150000.1.107.1
- Range: 10.10.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-3vcm-c42p-3hhfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-9076ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.