CVE-2025-11794 MEDIUM

CVE-2025-11794: Password hash and MFA secret returned in user email verification endpoint

Vendor Mattermost

Product Mattermost

Weakness CWE-200 · Info exposure

Published November 14, 2025

Last update December 1, 2025

View on NVD All CVEs

CVSS base score

4.9/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint

Key dates

02Disclosure timeline

November 14, 2025 CVE published

December 1, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-11794

Related vulnerabilities

Identifiers

CVE CVE-2025-11794

CWE CWE-200

CVSS 4.9 / MEDIUM

Affected versions

Vendor Mattermost

Product Mattermost

Affected ≥ 10.11.0 and ≤ 10.11.3

Vendor Mattermost

Product Mattermost

Affected ≥ 10.5.0 and ≤ 10.5.11

Vendor Mattermost

Product Mattermost

Affected ≥ 10.12.0 and ≤ 10.12.0

CVE-2025-11794: Password hash and MFA secret returned in user email verification endpoint

01Description

02Disclosure timeline

03References

04Related CVE