CVE-2025-12756 MEDIUM

CVE-2025-12756: Insecure Direct Object Reference in Mattermost Boards Plugin Enables Unauthorised Comment Deletion

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published December 1, 2025
Last update December 1, 2025
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.

Key dates

02Disclosure timeline

December 1, 2025 CVE published
December 1, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-4646 A high privilege user is able to create and use a valid admin API token in centreon-web CVE-2021-20290 CVE-2026-46717 Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification CVE-2025-64753 grist-core has insufficient access control in endpoints for comparisons between documents and versions CVE-2026-25040 Budibase Vulnerable to Privilege Escalation via API Abuse – Creator Can Invite Users with Admin/Any Role