CVE-2025-64641 in Mattermost
Summary
by MITRE • 12/24/2025
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/01/2026
This vulnerability exists in Mattermost server versions 11.1.0 and earlier, 11.0.5 and earlier, 10.12.3 and earlier, and 10.11.7 and earlier, specifically affecting the integration with Jira plugin functionality. The flaw stems from inadequate validation of post actions within the Mattermost platform, where the system fails to properly authenticate that specific actions originating from the /share-issue-publicly endpoint were legitimately created by the Jira plugin. This represents a critical authorization bypass vulnerability that directly violates CWE-285, which addresses improper authorization in software systems. The vulnerability manifests when malicious users craft specially formatted posts containing actions that appear to be legitimate Jira plugin interactions, exploiting the lack of proper plugin authentication checks.
The technical mechanism of exploitation involves a malicious user creating a post within Mattermost that includes a share-issue-publicly action, which is designed to be processed by the Jira plugin. However, due to insufficient verification mechanisms, the system accepts these actions regardless of their origin, allowing the malicious actor to craft posts that appear to be legitimate Jira integration features. When legitimate Jira users interact with these malicious posts, the system processes the share-issue-publicly actions as if they were legitimate plugin operations, triggering the actual Jira API calls that result in ticket exfiltration. This vulnerability directly maps to ATT&CK technique T1078.004, which covers valid accounts used for unauthorized access, as the malicious actions appear to originate from legitimate user accounts within the system.
The operational impact of this vulnerability is severe as it enables unauthorized data exfiltration from Jira instances through the Mattermost platform, potentially exposing sensitive project information, issue details, and other confidential data that would normally be protected by proper access controls. Attackers can craft posts that, when viewed by legitimate Jira users, automatically trigger the exfiltration of information without requiring any additional privileges or authentication bypasses. The vulnerability affects organizations that rely on Mattermost for team communication and Jira for issue tracking, creating a significant risk for companies where these systems are integrated. This represents a sophisticated attack vector that leverages the trust relationship between Mattermost and Jira plugins, essentially allowing attackers to use the legitimate integration as a conduit for unauthorized data access.
Organizations should immediately upgrade to Mattermost versions that have patched this vulnerability, specifically versions beyond the affected releases mentioned in the CVE description. The mitigation strategy must include verifying that all Jira plugin integrations have proper authentication mechanisms in place and that all post actions are validated against their originating plugin source. Security teams should implement monitoring for unusual post actions within Mattermost that might indicate attempts to exploit this vulnerability, particularly around Jira-related functionality. The fix typically involves implementing proper plugin authentication checks that ensure only legitimate plugin actions can trigger Jira API operations, preventing unauthorized users from crafting malicious posts that appear to be legitimate plugin interactions. Additionally, organizations should review their Mattermost plugin configurations and consider implementing additional access controls or network segmentation to limit the potential impact of such vulnerabilities in the event of successful exploitation.