Low severityNVD Advisory· Published Sep 19, 2025· Updated Sep 19, 2025
IDOR in board file download allows any user to download any file by UUID
CVE-2025-9081
Description
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-boardsGo | < 0.0.0-20250716054606-3f3e3becfe1d | 0.0.0-20250716054606-3f3e3becfe1d |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250721095935-11c36f4d1e44 | 8.0.0-20250721095935-11c36f4d1e44 |
github.com/mattermost/mattermost-serverGo | >= 10.5.0-rc1, < 10.5.9 | 10.5.9 |
github.com/mattermost/mattermost-serverGo | >= 9.11.0-rc1, < 9.11.18 | 9.11.18 |
Affected products
7- ghsa-coords6 versionspkg:golang/github.com/mattermost/mattermost-plugin-boardspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 0.0.0-20250716054606-3f3e3becfe1d+ 5 more
- (no CPE)range: < 0.0.0-20250716054606-3f3e3becfe1d
- (no CPE)range: >= 10.5.0-rc1, < 10.5.9
- (no CPE)range: < 8.0.0-20250721095935-11c36f4d1e44
- (no CPE)range: < 0.0.20251023T162509-150000.1.110.1
- (no CPE)range: < 0.0.20250924T192141-1.1
- (no CPE)range: < 0.0.20251023T162509-150000.1.110.1
- Range: 10.5.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-f72g-52v7-mg3pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-9081ghsaADVISORY
- github.com/mattermost/mattermost-plugin-boards/commit/3f3e3becfe1d66db0d0f4fd235f04afd6e1ec40bghsaWEB
- github.com/mattermost/mattermost-plugin-boards/pull/114ghsaWEB
- mattermost.com/security-updatesghsaWEB
- pkg.go.dev/vuln/GO-2025-3978ghsaWEB
News mentions
0No linked articles in our index yet.