CVE-2025-55074: Mattermost allows other users to determine when users had read channels via channel member objects
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects.
References
- github.com/advisories/GHSA-9hh7-6558-qfp2
- github.com/mattermost/mattermost
- github.com/mattermost/mattermost/commit/98acefe911dd9de7edf47a7d825dd99f53141a52
- github.com/mattermost/mattermost/commit/ba86dfc5876b354b9d3c20ff45c08ca6f8426149
- github.com/mattermost/mattermost/commit/d72d437f1567ba0b639b6e4fd73bab06c51baab5
- github.com/mattermost/mattermost/pull/33835
- github.com/mattermost/mattermost/pull/33905
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2025-55074
Code Behaviors & Features
Detect and mitigate CVE-2025-55074 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →