Headline
GHSA-7h34-9chr-58qh: Mattermost Missing Authentication for Critical Function
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don’t have access to via guessing the PendingPostID of recently created posts.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-6226
Mattermost Missing Authentication for Critical Function
Moderate severity GitHub Reviewed Published Jul 18, 2025 to the GitHub Advisory Database • Updated Jul 21, 2025
Package
gomod github.com/mattermost/mattermost-server (Go)
Affected versions
>= 10.5.0, < 10.5.7
>= 10.8.0, < 10.8.2
>= 10.7.0, < 10.7.4
>= 9.11.0, < 9.11.17
Patched versions
10.5.7
10.8.2
10.7.4
9.11.17
gomod github.com/mattermost/mattermost/server/v8 (Go)
< 8.0.0-20250520130510-fa40a8c5d47f
8.0.0-20250520130510-fa40a8c5d47f
Published to the GitHub Advisory Database
Jul 18, 2025
Last updated
Jul 21, 2025