VYPR
Low severityNVD Advisory· Published Sep 19, 2025· Updated Sep 19, 2025

IDOR in board file download allows any user to download any file by UUID

CVE-2025-9081

Description

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost-plugin-boardsGo
< 0.0.0-20250716054606-3f3e3becfe1d0.0.0-20250716054606-3f3e3becfe1d
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20250721095935-11c36f4d1e448.0.0-20250721095935-11c36f4d1e44
github.com/mattermost/mattermost-serverGo
>= 10.5.0-rc1, < 10.5.910.5.9
github.com/mattermost/mattermost-serverGo
>= 9.11.0-rc1, < 9.11.189.11.18

Affected products

7

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.