NIXPKGS-2026-0264
GitHub issue
published on 17 Feb 2026
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
4 packages
- mattermost-desktop
- python312Packages.mattermostdriver
- python313Packages.mattermostdriver
- python314Packages.mattermostdriver
-
@LeSuisse
removed
5 maintainers
- @fsagbuya
- @Kranzes
- @numinit
- @mgdelacroix
- @ryantm
- @LeSuisse accepted
- @LeSuisse published on GitHub
User profile update exposes password hash and MFA secrets
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560
Affected products
Mattermost
- =<10.11.9
- ==11.3.0
- ==11.1.3
- =<11.1.2
- ==11.2.2
- =<11.2.1
- ==10.11.10
Matching in nixpkgs
pkgs.mattermost
Mattermost is an open source platform for secure collaboration across the entire software development lifecycle
Package maintainers
Ignored maintainers (5)
-
@fsagbuya Florian Agbuya <fa@m-labs.ph>
-
@Kranzes Ilan Joselevich <personal@ilanjoselevich.com>
-
@numinit Morgan Jones <me+nixpkgs@numin.it>
-
@mgdelacroix Miguel de la Cruz <mgdelacroix@gmail.com>
-
@ryantm Ryan Mulligan <ryan@ryantm.com>