CVE-2025-11794

CVSS v2.0

6.8

Vector

AV:N/AC:L/Au:S/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.11 Mattermost versions 10.11.x through 10.11.3 Mattermost versions 10.12.x through 10.12.0

Description The software does not properly sanitize user data, potentially allowing system administrators to access password hashes and multi-factor authentication secrets. This access is possible through the 'POST /api/v4/users/{user id}/email/verify/member' API endpoint. The vulnerable parameter is

user id

Recommendations Update Mattermost versions to a version later than 10.5.11. Update Mattermost versions to a version later than 10.11.3. Update Mattermost versions to a version later than 10.12.0.

Exploit

Fix

LPE

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

BDU:2025-16012

CVE-2025-11794

GHSA-MQP8-PGG5-7X7M

GO-2025-4130

Affected Products

Mattermost

CVE-2025-11794

Weakness Enumeration

Related Identifiers

Affected Products

References · 19