Mattermost 10.11/11.1/11.2 WS Sensitive Data Leak (hash/mfa)
CVE-2025-13821 Published on February 16, 2026
User profile update exposes password hash and MFA secrets
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560
Vulnerability Analysis
CVE-2025-13821 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2025-13821 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2025-13821
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Version 11.1.0, <= 11.1.2 is affected.
- Version 10.11.0, <= 10.11.9 is affected.
- Version 11.2.0, <= 11.2.1 is affected.
- Version 11.3.0 is unaffected.
- Version 11.1.3 is unaffected.
- Version 10.11.10 is unaffected.
- Version 11.2.2 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.