CVE-2025-55074 LOW

CVE-2025-55074: Channel member objects leak read status

Vendor Mattermost
Product Mattermost
Weakness CWE-1426
Published November 18, 2025
Last update November 18, 2025

CVSS base score

3.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects

Key dates

02Disclosure timeline

November 18, 2025 CVE published
November 18, 2025 Record updated