3.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-13870

GHSA ID

GHSA-58w6-w55x-6wq8

EPSS Score

0.00025%

CWE

CWE-284

Published

12/2/2025

Updated

12/3/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-13870

CVE-2025-13870: Mattermost fails to validate user permissions in Boards

Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-13870

CVE-2025-13870:

3.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-13870

GHSA ID

GHSA-58w6-w55x-6wq8

EPSS Score

0.00025%

CWE

CWE-284

Published

12/2/2025

Updated

12/3/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost/server/v8	go	< 8.0.0-20250905150616-ba86dfc5876b	8.0.0-20250905150616-ba86dfc5876b
github.com/mattermost/mattermost	go	>= 10.11.0, < 10.11.5	10.11.5
github.com/mattermost/mattermost	go	>= 10.5.0, < 10.5.13	10.5.13

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an information disclosure issue within the Mattermost server API. Several API endpoints that return channel member information were not properly sanitizing the output. Specifically, the LastViewedAt and LastUpdateAt timestamps for channel members were exposed to any authenticated user who could query these endpoints. This leaked information about user activity.

The patch introduces a new method, SanitizeForCurrentUser, on the ChannelMember model. This method checks if the channel member data being requested belongs to the current user. If not, it redacts the sensitive LastViewedAt and LastUpdateAt fields by setting them to -1.

This sanitization logic was then applied to multiple API handlers in server/channels/api4/channel.go and server/channels/api4/user.go, including getChannelMembers, getChannelMembersByIds, getChannelMember, getChannelMembersForTeamForUser, addChannelMember, and getChannelMembersForUser. Before the patch, these functions were the sources of the information leak.

While the vulnerability description mentions improper access control related to "Boards" (accessing files and subscribing to blocks), the provided patch only addresses the information disclosure of channel member activity. It's possible that this information leak could be a contributing factor to a more complex attack chain targeting Boards, or that the description is a broader summary of a security release that included multiple fixes. Based purely on the provided commit, the direct vulnerability is the information disclosure.

Vulnerable functions

api4.getChannelMembers

server/channels/api4/channel.go

This function was returning channel member information without sanitizing it. Specifically, the `LastViewedAt` and `LastUpdateAt` fields were exposed for all users, leading to information disclosure. The patch adds a call to `SanitizeForCurrentUser` to hide this information for users other than the current user.

api4.getChannelMembersByIds

server/channels/api4/channel.go

Similar to `getChannelMembers`, this function was leaking `LastViewedAt` and `LastUpdateAt` for the requested channel members. The patch adds sanitization to prevent this information leak.

api4.getChannelMember

server/channels/api4/channel.go

This function for retrieving a single channel member was also leaking the `LastViewedAt` and `LastUpdateAt` fields if the requested member was not the current user. The patch adds a call to `SanitizeForCurrentUser` to fix this.

api4.getChannelMembersForTeamForUser

server/channels/api4/channel.go

This function was leaking `LastViewedAt` and `LastUpdateAt` for channel members in a team. The patch adds sanitization to prevent this information leak.

api4.addChannelMember

server/channels/api4/channel.go

When adding a channel member, the API response would include the unsanitized channel member object, leaking `LastViewedAt` and `LastUpdateAt`. The patch adds sanitization for the returned data.

api4.getChannelMembersForUser

server/channels/api4/user.go

This function, which gets all channel memberships for a user, was also leaking `LastViewedAt` and `LastUpdateAt` for other users. The patch adds sanitization.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-13870: Mattermost fails to validate user permissions in Boards

CVE-2025-13870:

3.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

3.1

3.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-13870: Mattermost fails to validate user permissions in Boards

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI