4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-12559

GHSA ID

GHSA-4g87-9x45-cx2h

EPSS Score

0.00027%

CWE

CWE-200

Published

11/27/2025

Updated

12/1/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-12559

CVE-2025-12559: Mattermost fails to sanitize team email addresses

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-12559

CVE-2025-12559:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-12559

GHSA ID

GHSA-4g87-9x45-cx2h

EPSS Score

0.00027%

CWE

CWE-200

Published

11/27/2025

Updated

12/1/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost/server/v8	go	< 8.0.0-20251015091448-abbf01b9db45	8.0.0-20251015091448-abbf01b9db45
github.com/mattermost/mattermost-server	go	>= 11.0.0, < 11.0.3	11.0.3
github.com/mattermost/mattermost-server	go	>= 10.12.0, < 10.12.2	10.12.2
github.com/mattermost/mattermost-server	go	>= 10.11.0, < 10.11.5	10.11.5
github.com/mattermost/mattermost-server	go	>= 10.5.0, < 10.5.13	10.5.13

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the API handlers that return information about teams. Specifically, the functions getGroupMessageMembersCommonTeams and getDirectOrGroupMessageMembersCommonTeams in server/channels/api4/channel.go were identified as vulnerable. These functions handle API requests that provide lists of teams. Before the fix, the code would fetch the team data and immediately encode it as a JSON response. This team data included sensitive information, such as team email addresses, that should only be accessible to users with specific permissions (i.e., Team Admins). The vulnerability was that the code did not check the permissions of the user making the request before returning the sensitive data. The patch for this vulnerability was to introduce a call to c.App.SanitizeTeams. This function takes the user's session and the list of teams, and it filters out any sensitive information that the user is not authorized to see before the data is encoded and sent in the response. Therefore, any authenticated user could exploit this vulnerability to access the email addresses of any team.

Vulnerable functions

api4.getGroupMessageMembersCommonTeams

server/channels/api4/channel.go

This function handles the `/api/v4/channels/{channel_id}/common_teams` endpoint. It retrieves team information and, before the patch, would write this information directly to the HTTP response without proper sanitization. This allowed any authenticated user to view sensitive team data, such as email addresses, which should have been restricted to Team Admins.

api4.getDirectOrGroupMessageMembersCommonTeams

server/channels/api4/channel.go

Similar to `getGroupMessageMembersCommonTeams`, this function retrieves team information and writes it to the HTTP response. Before the patch, it lacked sanitization, exposing sensitive team data like email addresses to unauthorized users. The patch introduces the `SanitizeTeams` function to filter this data based on user permissions.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-12559: Mattermost fails to sanitize team email addresses

CVE-2025-12559:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-12559: Mattermost fails to sanitize team email addresses

4.3

4.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI