CVE-2025-13767: Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues

December 24, 2025 (updated December 26, 2025)

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.

References

github.com/advisories/GHSA-fmqf-pmcm-8cx9
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/b57c297c6d7ae6812d85e32a625806ac9555deee
github.com/mattermost/mattermost/pull/34551
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-13767

Code Behaviors & Features

Detect and mitigate CVE-2025-13767 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →