Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.7
Mattermost Fails to Protect Sensitive User Data in Websocket Messages
CVE-2025-13821
GHSA-pp9j-pf5c-659x
Summary
Versions of Mattermost up to 11.1.2, 10.11.9, and 11.2.1 contain a security flaw that allows attackers to steal sensitive information like passwords and two-factor authentication secrets. Affected users should update to a fixed version of Mattermost to prevent this type of data exposure. This fix is included in version 11.1.3 and later, 10.11.10 and later, and 11.2.2 and later.
What to do
- Update github.com mattermost to version 8.0.0-20251210191531-cd17b61de41b.
- Update github.com mattermost to version 5.3.2-0.20251210191531-cd17b61de41b.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | mattermost | <= 8.0.0-20251210191531-cd17b61de41b | 8.0.0-20251210191531-cd17b61de41b |
| github.com | mattermost | > 11.1.0 , <= 11.1.3 | – |
| github.com | mattermost | > 10.11.0 , <= 10.11.10 | – |
| github.com | mattermost | > 11.2.0 , <= 11.2.2 | – |
| github.com | mattermost | <= 5.3.2-0.20251210191531-cd17b61de41b | 5.3.2-0.20251210191531-cd17b61de41b |
| mattermost | mattermost_server | > 10.11.0 , <= 10.11.10 | – |
| mattermost | mattermost_server | > 11.1.0 , <= 11.1.3 | – |
| mattermost | mattermost_server | > 11.2.0 , <= 11.2.2 | – |
Original title
Mattermost fails to sanitize sensitive data in WebSocket messages
Original description
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560
nvd CVSS3.1
5.7
Vulnerability type
CWE-200
Information Exposure
Published: 16 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026