CVE-2025-9076

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-9076

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9076.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-9076

Aliases

Downstream

SUSE-SU-2025:03289-1

Related

SUSE-SU-2025:03289-1

Published

2025-09-15T10:15:32Z

Modified

2025-09-24T12:44:42.996624Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type: GIT
Repo: https://github.com/mattermost/mattermost-server
Events: Introduced

c8bd5c937551a4e9ad23f5a4fd8aaf7604d046dd

Fixed

70c3cb2c1eef66484d5455217295684a49b7c3f1

Affected versions

v10.*

v10.10.0

v10.10.1

v10.10.1-rc1

v10.10.2-rc1

v10.10.2-rc2

v10.10.2-rc3

v10.10.2-rc4