CVE-2025-55070: 
vulnerability analysis and mitigation

Mattermost versions prior to 11.0 contain a security vulnerability (CVE-2025-55070) where the system fails to enforce multi-factor authentication (MFA) on WebSocket connections. This vulnerability was disclosed on November 14, 2025, affecting all Mattermost server installations below version 11.0. The issue allows users to bypass MFA requirements and access sensitive information through WebSocket events (NVD, Miggo).

The vulnerability exists in the WebConn.IsAuthenticated function within server/channels/app/platform/web_conn.go. In affected versions, this function only verifies the session token without checking for MFA completion. When a WebSocket connection is established, the WebConn.ShouldSendEvent function calls WebConn.IsAuthenticated to determine event authorization. Due to the incomplete authentication check, users could receive real-time events and sensitive information without providing an MFA token. The CVSS v3.1 base score is 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (Miggo).

The vulnerability allows users who have completed basic authentication but not MFA to access sensitive information transmitted through WebSocket events. This creates a significant security bypass of the MFA protection mechanism, potentially exposing confidential data to unauthorized users (NVD).

Organizations should upgrade to Mattermost version 11.0 or later, which includes a patch that properly enforces MFA on WebSocket connections. The fix involves renaming the original IsAuthenticated function to IsBasicAuthenticated and implementing a new IsAuthenticated function that properly verifies both session validity and MFA completion (Miggo).