GHSA-pp9j-pf5c-659x

Source

https://github.com/advisories/GHSA-pp9j-pf5c-659x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pp9j-pf5c-659x/GHSA-pp9j-pf5c-659x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pp9j-pf5c-659x

Aliases

Published

2026-02-16T12:30:25Z

Modified

2026-04-01T17:35:09.396122Z

Severity

5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Mattermost fails to sanitize sensitive data in WebSocket messages

Details

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-19T19:35:11Z",
    "severity": "MODERATE",
    "nvd_published_at": "2026-02-16T12:16:21Z",
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20251210191531-cd17b61de41b

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pp9j-pf5c-659x/GHSA-pp9j-pf5c-659x.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

11.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pp9j-pf5c-659x/GHSA-pp9j-pf5c-659x.json"

last_known_affected_version_range

"< 11.1.3"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

10.11.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pp9j-pf5c-659x/GHSA-pp9j-pf5c-659x.json"

last_known_affected_version_range

"< 10.11.10"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

11.2.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pp9j-pf5c-659x/GHSA-pp9j-pf5c-659x.json"

last_known_affected_version_range

"< 11.2.2"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.3.2-0.20251210191531-cd17b61de41b

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pp9j-pf5c-659x/GHSA-pp9j-pf5c-659x.json"