Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0260

NIXPKGS-2026-0260
published 4 months ago
Permalink CVE-2026-0999
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 months ago by @LeSuisse Activity log
  • Created suggestion 4 months ago
  • @LeSuisse ignored
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    4 months ago
  • @LeSuisse deleted
    5 maintainers
    • @ryantm
    • @mgdelacroix
    • @numinit
    • @Kranzes
    • @fsagbuya
    4 months ago maintainer.delete
  • @LeSuisse accepted 4 months ago
  • @LeSuisse published on GitHub 4 months ago
Authentication bypass via userID login when email and username login are disabled

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548

References

Affected products

Mattermost
  • ==10.11.10
  • ==11.3.0
  • =<11.1.2
  • ==11.1.3
  • =<10.11.9
  • =<11.2.1
  • ==11.2.2

Matching in nixpkgs

pkgs.mattermost

Open source platform for secure collaboration across the entire software development lifecycle

pkgs.mattermostLatest

Open source platform for secure collaboration across the entire software development lifecycle

Ignored packages (4)

Package maintainers

Ignored maintainers (3) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561