CVE-2025-13870 LOW

CVE-2025-13870: Unauthorized access and subscription vulnerability in Boards

Vendor Mattermost
Product Mattermost
Weakness CWE-306 · Missing auth
Published December 2, 2025
Last update December 2, 2025

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to

Key dates

02Disclosure timeline

December 2, 2025 CVE published
December 2, 2025 Record updated