{"id":"GHSA-pp9j-pf5c-659x","summary":"Mattermost fails to sanitize sensitive data in WebSocket messages","details":"Mattermost versions 11.1.x \u003c= 11.1.2, 10.11.x \u003c= 10.11.9, 11.2.x \u003c= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560","aliases":["CVE-2025-13821","GO-2026-4524"],"modified":"2026-03-27T17:30:08.153966Z","published":"2026-02-16T12:30:25Z","database_specific":{"cwe_ids":["CWE-200"],"severity":"MODERATE","nvd_published_at":"2026-02-16T12:16:21Z","github_reviewed":true,"github_reviewed_at":"2026-02-19T19:35:11Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13821"},{"type":"WEB","url":"https://github.com/mattermost/mattermost/commit/cd17b61de41bf0a49b524bb91ce0bbe859e5a100"},{"type":"PACKAGE","url":"https://github.com/mattermost/mattermost"},{"type":"WEB","url":"https://mattermost.com/security-updates"}],"affected":[{"package":{"name":"github.com/mattermost/mattermost/server/v8","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"8.0.0-20251210191531-cd17b61de41b"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pp9j-pf5c-659x/GHSA-pp9j-pf5c-659x.json"}},{"package":{"name":"github.com/mattermost/mattermost-server","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"11.1.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pp9j-pf5c-659x/GHSA-pp9j-pf5c-659x.json","last_known_affected_version_range":"\u003c 11.1.3"}},{"package":{"name":"github.com/mattermost/mattermost-server","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"10.11.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pp9j-pf5c-659x/GHSA-pp9j-pf5c-659x.json","last_known_affected_version_range":"\u003c 10.11.10"}},{"package":{"name":"github.com/mattermost/mattermost-server","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"11.2.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pp9j-pf5c-659x/GHSA-pp9j-pf5c-659x.json","last_known_affected_version_range":"\u003c 11.2.2"}},{"package":{"name":"github.com/mattermost/mattermost-server","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"5.3.2-0.20251210191531-cd17b61de41b"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-pp9j-pf5c-659x/GHSA-pp9j-pf5c-659x.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"}]}