Github.Com Mattermost Mattermost-Server vulnerabilities

CVE-2026-3113 [MEDIUM] CWE-732 Mattermost doesn't set permissions on downloaded bulk export Mattermost doesn't set permissions on downloaded bulk export Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export. Mattermost Advisory ID: MMSA-2026-00593.

CVE-2026-26233 [MEDIUM] CWE-400 Mattermost doesn't rate limit login requests, allowing DoS Mattermost doesn't rate limit login requests, allowing DoS Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566

CVE-2026-27656 [MEDIUM] CWE-303 Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts

CVE-2026-24458 [HIGH] CWE-770 Mattermost fails to properly handle very long passwords Mattermost fails to properly handle very long passwords Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587

CVE-2026-21386 [MEDIUM] CWE-203 Mattermost fails to use consistent error responses when handling the /mute command Mattermost fails to use consistent error responses when handling the /mute command Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent

CVE-2026-2455 [MEDIUM] CWE-918 Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1])..

CVE-2026-2458 [MEDIUM] CWE-862 Mattermost allows a removed team member to enumerate all public channels within a private team Mattermost allows a removed team member to enumerate all public channels within a private team Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint. Mattermos

CVE-2026-24692 [MEDIUM] CWE-863 Mattermost fails to properly enforce read permissions in search API endpoints Mattermost fails to properly enforce read permissions in search API endpoints Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554

CVE-2026-2578 [MEDIUM] CWE-201 Mattermost fails to preserve the redacted state of burn-on-read posts during deletion Mattermost fails to preserve the redacted state of burn-on-read posts during deletion Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event. Mattermost Advisory ID: MMSA-2026-00579

CVE-2026-26246 [MEDIUM] CWE-789 Mattermost fails to bound memory allocation when processing PSD image files Mattermost fails to bound memory allocation when processing PSD image files Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00

CVE-2026-25783 [MEDIUM] CWE-1287 Mattermost fails to properly validate User-Agent header tokens Mattermost fails to properly validate User-Agent header tokens Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586

CVE-2026-25780 [MEDIUM] CWE-789 Mattermost fails to bound memory allocation when processing DOC files Mattermost fails to bound memory allocation when processing DOC files Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Mattermost Advisory ID: MMSA-2026-00581

CVE-2026-2463 [MEDIUM] CWE-862 Mattermost fails to filter invite IDs based on user permissions Mattermost fails to filter invite IDs based on user permissions Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation. Mattermost Advisory ID: MMSA-2025-00565

CVE-2026-2456 [MEDIUM] CWE-789 Mattermost fails to limit the size of responses from integration action endpoints Mattermost fails to limit the size of responses from integration action endpoints Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an

CVE-2026-4265 [MEDIUM] CWE-863 Mattermost fails to validate team-specific upload_file permissions Mattermost fails to validate team-specific upload_file permissions Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a di

CVE-2026-2457 [MEDIUM] CWE-346 Mattermost allows attackers to spoof permalink embeds Mattermost allows attackers to spoof permalink embeds Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint. Mattermost Advisory ID: MMSA-2025-00569

CVE-2026-22545 [LOW] CWE-863 Mattermost fails to validate user's authentication method when processing account auth type switch Mattermost fails to validate user's authentication method when processing account auth type switch Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermos

CVE-2025-13821 [MEDIUM] CWE-200 Mattermost fails to sanitize sensitive data in WebSocket messages Mattermost fails to sanitize sensitive data in WebSocket messages Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

CVE-2025-14350 [MEDIUM] CWE-862 Mattermost fails to properly validate team membership when processing channel mentions Mattermost fails to properly validate team membership when processing channel mentions Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the chann

CVE-2026-0999 [MEDIUM] CWE-303 Mattermost fails to properly validate login method restrictions Mattermost fails to properly validate login method restrictions Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548