CVE-2025-13821 MEDIUM

CVE-2025-13821: User profile update exposes password hash and MFA secrets

Vendor Mattermost
Product Mattermost
Weakness CWE-200 · Info exposure
Published February 16, 2026
Last update February 17, 2026
View on NVD All CVEs

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

Key dates

02Disclosure timeline

February 16, 2026 CVE published
February 17, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-21587 CVE-2025-6590 Complete content leak of private wikis due to PasswordReset Wikitext injection in error message CVE-2024-0305 Guangzhou Yingke Electronic Technology Ncast Guest Login IPSetup.php information disclosure CVE-2025-31126 Element X iOS allows the entity in control of the well-known file to break the confidentiality of embedded Element Call CVE-2024-8899 Jeg Elementor Kit <= 2.6.9 - Authenticated (Contributor+) Sensitive Information Exposure via sg_content_template