Headline
GHSA-xpg8-8xpv-948p: Mattermost does not enforce MFA on WebSocket connections
Mattermost versions < 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-55070
Mattermost does not enforce MFA on WebSocket connections
Moderate severity GitHub Reviewed Published Nov 14, 2025 to the GitHub Advisory Database • Updated Nov 17, 2025
Package
gomod github.com/mattermost/mattermost-server (Go)
Affected versions
< 11.1.0
gomod github.com/mattermost/mattermost/server/v8 (Go)
< 8.0.0-20250912063506-7d8b7b5e4a60
8.0.0-20250912063506-7d8b7b5e4a60
Description
Published to the GitHub Advisory Database
Nov 14, 2025
Last updated
Nov 17, 2025