CVE-2025-55070: Mattermost does not enforce MFA on WebSocket connections

November 14, 2025 (updated November 17, 2025)

Mattermost versions < 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events.

References

github.com/advisories/GHSA-xpg8-8xpv-948p
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/7d8b7b5e4a6076b2f7c87606883c417f9a610df5
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-55070

Code Behaviors & Features

Detect and mitigate CVE-2025-55070 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →