Headline
GHSA-fmqf-pmcm-8cx9: Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-13767
Mattermost doesn’t validate user channel membership when attaching Mattermost posts as comments to Jira issues
Moderate severity GitHub Reviewed Published Dec 24, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025
Package
gomod github.com/mattermost/mattermost-server (Go)
Affected versions
>= 10.11.0, < 10.11.8
>= 10.12.0, < 10.12.4
>= 11.0.0, < 11.0.6
>= 11.1.0, < 11.1.1
Patched versions
10.11.8
10.12.4
11.0.6
11.1.1
gomod github.com/mattermost/mattermost/server/v8 (Go)
< 8.0.0-20251121122154-b57c297c6d7
8.0.0-20251121122154-b57c297c6d7
Published to the GitHub Advisory Database
Dec 24, 2025
Last updated
Dec 26, 2025