CVE-2025-13870: Mattermost fails to validate user permissions in Boards

December 2, 2025 (updated December 3, 2025)

Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to

References

github.com/advisories/GHSA-58w6-w55x-6wq8
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/ba86dfc5876b354b9d3c20ff45c08ca6f8426149
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-13870

Code Behaviors & Features

Detect and mitigate CVE-2025-13870 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →