PT-2026-8338 · Mattermost · Mattermost

Daw10

Published

2026-02-16

Updated

2026-03-03

CVE-2025-13821

CVSS v3.1

5.7

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.x through 10.11.9 Mattermost versions 11.1.x through 11.1.2 Mattermost versions 11.2.x through 11.2.1

Description The software does not properly sanitize sensitive data within WebSocket messages. This allows authenticated users to obtain password hashes and multi-factor authentication secrets by exploiting profile nickname updates or email verification events.

Recommendations Update Mattermost to a version later than 10.11.9. Update Mattermost to a version later than 11.1.2. Update Mattermost to a version later than 11.2.1.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2025-13821

GHSA-PP9J-PF5C-659X

GO-2026-4524

SUSE-SU-2026:0757-1

Affected Products

Mattermost

PT-2026-8338 · Mattermost · Mattermost

CVE-2025-13821

Weakness Enumeration

Related Identifiers

Affected Products

References · 116