Metrics
Affected Vendors & Products
Solution
Update Mattermost to versions 10.9.0, 10.5.7, 10.8.2, 10.7.4, 9.11.17 or higher.
Workaround
No workaround given by the vendor.
Link | Providers |
---|---|
https://mattermost.com/security-updates |
![]() ![]() |
Thu, 07 Aug 2025 10:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Mattermost versions 10.5.x <= 10.5.7, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts. | Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts. |
Thu, 07 Aug 2025 09:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts. | Mattermost versions 10.5.x <= 10.5.7, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts. |
Fri, 18 Jul 2025 13:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 18 Jul 2025 09:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts. | |
Title | IDOR in CreatePost API allows for timeboxed message disclosure | |
Weaknesses | CWE-306 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Mattermost
Published:
Updated: 2025-08-07T09:53:06.698Z
Reserved: 2025-06-18T10:41:12.541Z
Link: CVE-2025-6226

Updated: 2025-07-18T12:44:20.694Z

Status : Awaiting Analysis
Published: 2025-07-18T09:15:26.993
Modified: 2025-07-22T13:06:27.983
Link: CVE-2025-6226

No data.

Updated: 2025-07-21T15:17:11Z