CVE-2025-11794: 
vulnerability analysis and mitigation

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, and 10.12.x <= 10.12.0 contain a security vulnerability identified as CVE-2025-11794. The vulnerability was disclosed on November 14, 2025, and involves a failure to properly sanitize user data that could expose sensitive authentication information (NVD, Miggo).

The vulnerability is characterized by improper sanitization of user data that allows system administrators to access password hashes and MFA secrets through the POST /api/v4/users/{user_id}/email/verify/member endpoint. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. It is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows system administrators to gain unauthorized access to sensitive authentication data, including password hashes and Multi-Factor Authentication (MFA) secrets. This exposure of cryptographic materials could potentially lead to unauthorized account access if the obtained information is successfully exploited (Miggo).

Organizations should upgrade to the following patched versions based on their current installation: Mattermost version 10.11.4 for 10.11.x installations, version 10.5.12 for 10.5.x installations, and version 10.12.1 for 10.12.x installations (Miggo).