Github.Com Mattermost Mattermost-Server vulnerabilities
250 known vulnerabilities affecting github.com/mattermost_mattermost-server.
Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72
Vulnerabilities
Page 10 of 13
CVE-2026-25780P4MEDIUM≥ 0, < 5.3.2-0.20260123215601-86797c508c44≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-25780 [MEDIUM] CWE-789 Mattermost fails to bound memory allocation when processing DOC files
Mattermost fails to bound memory allocation when processing DOC files
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Mattermost Advisory ID: MMSA-2026-00581
ghsaosv
CVE-2025-2527P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.12+incompatible≥ 10.5.0+incompatible, < 10.5.3+incompatible2025-05-23
CVE-2025-2527 Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server
Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server
Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server
osv
CVE-2025-3228P4MEDIUM≥ 0, < 0.0.0-20250520060012-d0380305ef7a2025-06-20
CVE-2025-3228 [MEDIUM] CWE-863 Mattermost allows an unauthorized Guest user access to Playbook
Mattermost allows an unauthorized Guest user access to Playbook
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.
ghsaosv
CVE-2025-1472P4MEDIUM≥ 9.11.0, < 9.11.92025-03-19
CVE-2025-1472 [MEDIUM] CWE-863 Mattermost Fails to Properly Perform Viewer Role Authorization
Mattermost Fails to Properly Perform Viewer Role Authorization
Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.
ghsaosv
CVE-2025-2424P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.5.0+incompatible, < 10.5.2+incompatible2025-04-22
CVE-2025-2424 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2025-47870P4MEDIUM≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+2 more2025-08-21
CVE-2025-47870 [MEDIUM] CWE-306 Mattermost Does Not Sanitize the Team Invite ID
Mattermost Does Not Sanitize the Team Invite ID
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.
ghsaosv
CVE-2025-12559P4MEDIUM≥ 11.0.0, < 11.0.3≥ 10.12.0, < 10.12.2+2 more2025-11-27
CVE-2025-12559 [MEDIUM] CWE-200 Mattermost fails to sanitize team email addresses
Mattermost fails to sanitize team email addresses
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint
ghsaosv
CVE-2025-4128P4LOW≥ 10.5.0, < 10.5.5≥ 9.11.0, < 9.11.142025-06-11
CVE-2025-4128 [LOW] CWE-863 Mattermost allows guest users to view information about public teams they are not members of
Mattermost allows guest users to view information about public teams they are not members of
Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.
ghsaosv
CVE-2025-49810P4LOW≥ 10.5.0, < 10.5.92025-08-21
CVE-2025-49810 [LOW] CWE-863 Mattermost Lack of Access Control Validation
Mattermost Lack of Access Control Validation
Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts
ghsaosv
CVE-2025-24839P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.4.0+incompatible, < 10.4.4+incompatible+1 more2025-04-22
CVE-2025-24839 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2025-2571P4UNKNOWN≥ 9.0.0-rc1+incompatible, < 9.11.13+incompatible≥ 10.0.0-rc1+incompatible, < 10.5.4+incompatible+2 more2025-06-03
CVE-2025-2571 Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server
Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server
Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server
osv
CVE-2025-14350P4MEDIUM≥ 11.1.0≥ 10.11.0+2 more2026-02-16
CVE-2025-14350 [MEDIUM] CWE-862 Mattermost fails to properly validate team membership when processing channel mentions
Mattermost fails to properly validate team membership when processing channel mentions
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the chann
ghsaosv
CVE-2025-11777P4LOW≥ 10.11.0, < 10.11.4≥ 10.5.0, < 10.5.12+1 more2025-11-13
CVE-2025-11777 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability
Mattermost Incorrect Authorization vulnerability
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.
ghsaosv
CVE-2026-3495P4LOW≥ 0, < 5.3.2-0.20260310115442-5a1ea95044dc2026-05-18
CVE-2026-3495 [LOW] CWE-79 Mattermost doesn't escape some variables that could contain malicious content during error page composition
Mattermost doesn't escape some variables that could contain malicious content during error page composition
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code v
ghsa
CVE-2025-9078P4MEDIUM≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+3 more2025-09-15
CVE-2025-9078 [MEDIUM] CWE-328 Mattermost makes Use of Weak Hash
Mattermost makes Use of Weak Hash
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing.
ghsaosv
CVE-2017-18873P4MEDIUM≥ 0, < 4.1.2-0.20171013141717-ee57a5829ab1≥ 4.2.0, < 4.2.1-0.20171013140502-b3e4b0ac9168+1 more2022-05-24
CVE-2017-18873 [MEDIUM] CWE-20 Mattermost Server is vulnerable to channel invisibility DoS via misformatted post
Mattermost Server is vulnerable to channel invisibility DoS via misformatted post
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformated post.
ghsaosv
CVE-2024-1953P4UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible+1 more2024-06-28
CVE-2024-1953 Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server
Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server
Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerabil
osv
CVE-2024-1887P4UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible2024-06-28
CVE-2024-1887 Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server
Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server
Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing fa
osv
CVE-2024-24776P4UNKNOWN≥ 9.0.0+incompatible, < 9.3.0+incompatible2024-06-05
CVE-2024-24776 Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server
Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server
Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerabi
osv
CVE-2025-24526P4UNKNOWN≥ 9.11.0-rc1+incompatible, < 9.11.8+incompatible≥ 10.2.0-rc1+incompatible, < 10.2.3+incompatible+2 more2025-03-03
CVE-2025-24526 Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server
Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server
Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server
osv