CVE-2025-13767
Improper Access Control in Mattermost Jira Plugin Allows Data Exposure
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost | 11.1.0 |
| mattermost | mattermost | 10.11.7 |
| mattermost | mattermost | 11.0.5 |
| mattermost | mattermost | 10.12.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in certain versions of Mattermost where the system fails to properly check if a user is a member of a channel before allowing them to attach Mattermost posts as comments to Jira issues. As a result, an authenticated attacker who has access to the Jira plugin can read the content and attachments of posts from channels they are not authorized to access.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive information because an attacker with Jira plugin access can read posts and attachments from restricted Mattermost channels. This could compromise confidentiality of communications and data shared within those channels.