CVE-2025-11794
📋 TL;DR
This vulnerability allows system administrators to access password hashes and MFA secrets through an API endpoint that fails to properly sanitize user data. It affects Mattermost instances running vulnerable versions, specifically exposing sensitive authentication data to privileged users who shouldn't have access to this information.
💻 Affected Systems
- Mattermost
📦 What is this software?
Mattermost Server by Mattermost
Mattermost Server by Mattermost
Mattermost Server by Mattermost
⚠️ Risk & Real-World Impact
Worst Case
System administrators could extract password hashes and MFA secrets, potentially enabling credential theft, account compromise, or lateral movement within the organization.
Likely Case
Privileged users inadvertently or intentionally accessing sensitive authentication data they shouldn't have access to, violating security boundaries and potentially enabling insider threats.
If Mitigated
With proper access controls and monitoring, the impact is limited to authorized administrators who already have significant system access, though it still violates security boundaries.
🎯 Exploit Status
Requires system administrator privileges to exploit via the POST /api/v4/users/{user_id}/email/verify/member endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.11.4, 10.5.12, 10.12.1 or later
Vendor Advisory: https://mattermost.com/security-updates
Restart Required: Yes
Instructions:
1. Backup your Mattermost instance and database. 2. Download the patched version from Mattermost downloads. 3. Stop the Mattermost service. 4. Install the patched version. 5. Restart the Mattermost service. 6. Verify the update was successful.
🔧 Temporary Workarounds
Restrict API Access
linuxImplement network-level restrictions to limit access to the vulnerable API endpoint from unauthorized systems.
# Example firewall rule to restrict access to Mattermost API
iptables -A INPUT -p tcp --dport 8065 -s trusted_admin_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 8065 -j DROP
🧯 If You Can't Patch
- Implement strict monitoring and auditing of administrator API access to the vulnerable endpoint
- Review and reduce the number of system administrator accounts to minimize attack surface
🔍 How to Verify
Check if Vulnerable:
Check your Mattermost version via System Console > About or run: grep 'Version' mattermost/config/config.jsonCheck Version:
grep 'Version' mattermost/config/config.jsonVerify Fix Applied:
Verify the version is 10.11.4+, 10.5.12+, or 10.12.1+ and test that system administrators cannot access password hashes via the API endpoint.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /api/v4/users/*/email/verify/member endpoint from administrator accounts
- Multiple failed authentication attempts following API access
Network Indicators:
- Unusual traffic patterns to the vulnerable API endpoint
- Multiple requests to user authentication endpoints
SIEM Query:
source="mattermost" AND (uri_path="/api/v4/users/*/email/verify/member" OR method="POST" AND uri_path CONTAINS "/email/verify/member")