CVE-2025-13821 – This vulnerability allows authenticated Matterm... (How to Fix)

Q: How do I fix CVE-2025-13821?

1. Backup your Mattermost instance. 2. Upgrade to patched version (11.1.3, 10.11.10, or 11.2.2+). 3. Restart Mattermost service. 4. Verify upgrade completed successfully.

Q: What is the severity of CVE-2025-13821?

CVE-2025-13821 has a CVSS score of 5.7 (MEDIUM). This vulnerability allows authenticated Mattermost users to exfiltrate sensitive data including password hashes and MFA secrets through WebSocket messages. The flaw occurs when users update their profile nicknames or trigger email verification events. Organizations running affected Mattermost versions are at risk.

📋 TL;DR

This vulnerability allows authenticated Mattermost users to exfiltrate sensitive data including password hashes and MFA secrets through WebSocket messages. The flaw occurs when users update their profile nicknames or trigger email verification events. Organizations running affected Mattermost versions are at risk.

💻 Affected Systems

Products:

Mattermost

Versions: 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1

Operating Systems: All platforms running Mattermost

Default Config Vulnerable: ⚠️ Yes

Notes: All Mattermost deployments with affected versions are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could obtain password hashes for offline cracking and MFA secrets, potentially leading to account compromise and lateral movement within the organization.

🟠

Likely Case

Malicious insiders or compromised accounts could exfiltrate sensitive user data, leading to credential theft and potential account takeover.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authenticated users only, but still represents a significant data exposure risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions 11.1.3, 10.11.10, 11.2.2 or later

Vendor Advisory: https://mattermost.com/security-updates

Restart Required: Yes

Instructions:

1. Backup your Mattermost instance. 2. Upgrade to patched version (11.1.3, 10.11.10, or 11.2.2+). 3. Restart Mattermost service. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Disable WebSocket connections

all

Temporarily disable WebSocket functionality to prevent exploitation

Set 'EnableWebSocket' to false in config.json

Restrict user permissions

all

Limit profile update permissions to administrators only

Adjust team permissions via System Console > Permissions

🧯 If You Can't Patch

Implement strict access controls and monitor for unusual profile update activity
Enable detailed logging of WebSocket connections and user profile changes

🔍 How to Verify

Check if Vulnerable:

Check Mattermost version via System Console > About Mattermost or run 'mattermost version' command

Check Version:

mattermost version

Verify Fix Applied:

Verify version is 11.1.3, 10.11.10, 11.2.2 or later and test profile nickname updates

📡 Detection & Monitoring

Log Indicators:

Unusual frequency of profile nickname updates
Multiple email verification events from single user
WebSocket connections with abnormal data patterns

Network Indicators:

Unusual WebSocket traffic patterns
Large outbound data transfers during profile updates

SIEM Query:

source="mattermost" AND (event="user_updated" OR event="email_verification") AND user!="system" | stats count by user

📊 Metadata

CVE ID: CVE-2025-13821

CVSS v3 Score: 5.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: February 16, 2026

Last Updated: February 18, 2026

🔗 References

https://mattermost.com/security-updates Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13821, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable WebSocket connections

Restrict user permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities