cbcvebase.

Github.Com Mattermost Mattermost-Server vulnerabilities

250 known vulnerabilities affecting github.com/mattermost_mattermost-server.

Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72

Vulnerabilities

Page 12 of 13
CVE-2025-4573P4MEDIUM≥ 10.7.0, < 10.7.2≥ 10.6.0, < 10.6.4+2 more2025-06-11
CVE-2025-4573 [MEDIUM] CWE-90 Mattermost allows authenticated administrator to execute LDAP search filter injection Mattermost allows authenticated administrator to execute LDAP search filter injection Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT
ghsaosv
CVE-2017-18878P4MEDIUM≥ 0, < 4.1.2-0.20171004201910-6be8113eb60c≥ 4.2.0-rc1, < 4.2.1-0.20171004192657-8fbbd688ea24+1 more2022-05-24
CVE-2017-18878 [MEDIUM] CWE-284 Mattermost Server allows users with a session ID to revoke another users' session Mattermost Server allows users with a session ID to revoke another users' session An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session.
ghsaosv
CVE-2016-11080P4MEDIUM≥ 0, < 3.0.02022-05-24
CVE-2016-11080 [MEDIUM] CWE-200 Mattermost Server exposes account details to any Team Administrator Mattermost Server exposes account details to any Team Administrator An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.
ghsaosv
CVE-2017-18872P4MEDIUM≥ 0, < 4.3.3≥ 4.4.0-rc1, < 4.4.32022-05-24
CVE-2017-18872 [MEDIUM] CWE-862 Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider.
ghsaosv
CVE-2025-54499P4LOW≥ 10.5.0, < 10.5.11≥ 10.11.0, < 10.11.32025-10-16
CVE-2025-54499 [LOW] CWE-208 Mattermost has an Observable Timing Discrepancy vulnerability Mattermost has an Observable Timing Discrepancy vulnerability Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets.
ghsaosv
CVE-2025-13324P4MEDIUM≥ 0, < 11.0.42025-12-17
CVE-2025-13324 [MEDIUM] CWE-863 Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation Mattermost versions 10.11.x < 10.11.5, 11.0.x < 11.0.4, 10.12.x < 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to
ghsaosv
CVE-2026-22545P4LOW≥ 0, < 5.3.2-0.20260127144908-ced9a56e3988≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-22545 [LOW] CWE-863 Mattermost fails to validate user's authentication method when processing account auth type switch Mattermost fails to validate user's authentication method when processing account auth type switch Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermos
ghsaosv
CVE-2026-6334P4LOW≥ 0, < 5.3.2-0.20260318173148-e9ae890a013b2026-05-18
CVE-2026-6334 [LOW] CWE-305 Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted
ghsa
CVE-2024-29221P4UNKNOWN≥ 9.3.0+incompatible, < 9.3.3+incompatible≥ 9.4.0+incompatible, < 9.4.4+incompatible+1 more2024-06-05
CVE-2024-29221 Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please sugge
osv
CVE-2025-3913P4UNKNOWN≥ 9.0.0-rc1+incompatible, < 9.11.13+incompatible≥ 10.5.0-rc1+incompatible, < 10.5.4+incompatible+2 more2025-06-03
CVE-2025-3913 Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server
osv
CVE-2024-32939P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.8+incompatible≥ 9.8.0+incompatible, < 9.8.3+incompatible+2 more2024-08-30
CVE-2024-32939 Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server
osv
CVE-2025-53971P4LOW≥ 10.5.0, < 10.5.9≥ 9.11.0, < 9.11.182025-08-21
CVE-2025-53971 [LOW] CWE-863 Mattermost Fails to Properly Validate Team Role Modification Mattermost Fails to Properly Validate Team Role Modification Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.
ghsaosv
CVE-2025-47700P4LOW≥ 10.5.0, < 10.5.102025-08-21
CVE-2025-47700 [LOW] CWE-918 Mattermost Server SSRF Vulnerability via the Agents Plugin Mattermost Server SSRF Vulnerability via the Agents Plugin Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions
ghsaosv
CVE-2025-13352P4UNKNOWN≥ 10.11.0-rc1+incompatible2025-12-22
CVE-2025-13352 Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost. NOTE: The source advisory for this report contains additional versions that c
osv
CVE-2025-22449P4UNKNOWN≥ 9.11.0+incompatible2025-01-09
CVE-2025-22449 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability s
osv
CVE-2025-6227P4LOW≥ 10.5.0, < 10.5.8≥ 9.11.0, < 9.11.172025-07-18
CVE-2025-6227 [LOW] CWE-522 Mattermost has Insufficiently Protected Credentials Mattermost has Insufficiently Protected Credentials Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.
ghsaosv
CVE-2025-55074P4LOW≥ 10.11.0, < 10.11.4≥ 10.5.0, < 10.5.122025-11-18
CVE-2025-55074 [LOW] CWE-276 Mattermost allows other users to determine when users had read channels via channel member objects Mattermost allows other users to determine when users had read channels via channel member objects Mattermost versions 10.11.x <= 10.11.3, and 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects.
ghsaosv
CVE-2026-20796P4LOW≥ 10.11.0, < 10.11.102026-02-13
CVE-2026-20796 [LOW] CWE-367 Mattermost doesn't properly validate channel membership at the time of data retrieval Mattermost doesn't properly validate channel membership at the time of data retrieval Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549
ghsaosv
CVE-2024-4198P4LOW≥ 9.6.0-rc1, < 9.6.1≥ 9.5.0, < 9.5.3+1 more2024-04-26
CVE-2024-4198 [LOW] CWE-284 Mattermost fails to fully validate role changes Mattermost fails to fully validate role changes Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.
ghsaosv
CVE-2025-24866P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.9+incompatible2025-04-22
CVE-2025-24866 Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server
osv
Github.Com Mattermost Mattermost-Server vulnerabilities | cvebase