Primary

Context

Mattermost Password Hash and MFA Secret Exposure Vulnerability

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.11.x through 10.11.3, 10.5.x through 10.5.11, and 10.12.x through 10.12.0. These versions fail to properly sanitize user data, allowing system administrators to retrieve password hashes and multi-factor authentication (MFA) secrets. This can be exploited through the POST /api/v4/users/{user_id}/email/verify/member endpoint.

Impact

Exploitation of this vulnerability allows unauthorized access to users' password hashes and MFA secrets, which could lead to account compromise.

Remediation

Users can upgrade to Mattermost versions 11.1.011.0.310.12.210.11.510.5.13 or 11.0.0 to address this vulnerability.

Added: Nov 14, 2025, 11:17 AM

Updated: Nov 14, 2025, 5:01 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Password Hash and MFA Secret Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating