GHSA-fmqf-pmcm-8cx9

Source

https://github.com/advisories/GHSA-fmqf-pmcm-8cx9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-fmqf-pmcm-8cx9/GHSA-fmqf-pmcm-8cx9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fmqf-pmcm-8cx9

Aliases

Published

2025-12-24T09:30:22Z

Modified

2026-02-27T22:04:19Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues

Details

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.

Database specific

{
    "nvd_published_at": "2025-12-24T08:15:45Z",
    "github_reviewed_at": "2025-12-26T18:40:17Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20251121122154-b57c297c6d7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-fmqf-pmcm-8cx9/GHSA-fmqf-pmcm-8cx9.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

10.11.0

Fixed

10.11.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-fmqf-pmcm-8cx9/GHSA-fmqf-pmcm-8cx9.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

10.12.0

Fixed

10.12.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-fmqf-pmcm-8cx9/GHSA-fmqf-pmcm-8cx9.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

11.0.0

Fixed

11.0.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-fmqf-pmcm-8cx9/GHSA-fmqf-pmcm-8cx9.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

11.1.0

Fixed

11.1.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-fmqf-pmcm-8cx9/GHSA-fmqf-pmcm-8cx9.json"