CVE-2025-9076: Mattermost Missing Authorization vulnerability

September 15, 2025

Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.

References

github.com/advisories/GHSA-3vcm-c42p-3hhf
github.com/mattermost/mattermost
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-9076

Code Behaviors & Features

Detect and mitigate CVE-2025-9076 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →