CVE-2025-6226 MEDIUM

CVE-2025-6226: IDOR in CreatePost API allows for timeboxed message disclosure

Vendor Mattermost
Product Mattermost
Weakness CWE-306 · Missing auth
Published July 18, 2025
Last update August 7, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.

Key dates

02Disclosure timeline

July 18, 2025 CVE published
August 7, 2025 Record updated