{"id":"GHSA-f72g-52v7-mg3p","summary":"Mattermost boards plugin fails to restrict download access to files","details":"Mattermost versions 10.5.x \u003c= 10.5.8, 9.11.x \u003c= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration","aliases":["CVE-2025-9081","GO-2025-3978"],"modified":"2025-09-26T16:23:18Z","published":"2025-09-19T21:31:21Z","database_specific":{"nvd_published_at":"2025-09-19T20:15:40Z","severity":"LOW","cwe_ids":["CWE-639"],"github_reviewed_at":"2025-09-22T18:00:01Z","github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9081"},{"type":"WEB","url":"https://github.com/mattermost/mattermost-plugin-boards/pull/114"},{"type":"WEB","url":"https://github.com/mattermost/mattermost-plugin-boards/commit/3f3e3becfe1d66db0d0f4fd235f04afd6e1ec40b"},{"type":"PACKAGE","url":"https://github.com/mattermost/mattermost-plugin-boards"},{"type":"WEB","url":"https://mattermost.com/security-updates"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2025-3978"}],"affected":[{"package":{"name":"github.com/mattermost/mattermost-plugin-boards","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost-plugin-boards"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20250716054606-3f3e3becfe1d"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-f72g-52v7-mg3p/GHSA-f72g-52v7-mg3p.json"}},{"package":{"name":"github.com/mattermost/mattermost/server/v8","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"8.0.0-20250721095935-11c36f4d1e44"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-f72g-52v7-mg3p/GHSA-f72g-52v7-mg3p.json"}},{"package":{"name":"github.com/mattermost/mattermost-server","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"10.5.0-rc1"},{"fixed":"10.5.9"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-f72g-52v7-mg3p/GHSA-f72g-52v7-mg3p.json"}},{"package":{"name":"github.com/mattermost/mattermost-server","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"9.11.0-rc1"},{"fixed":"9.11.18"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-f72g-52v7-mg3p/GHSA-f72g-52v7-mg3p.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}