Github.Com Mattermost Mattermost-Server vulnerabilities
250 known vulnerabilities affecting github.com/mattermost_mattermost-server.
Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72
Vulnerabilities
Page 13 of 13
CVE-2025-1792P4UNKNOWN≥ 9.0.0-rc1+incompatible, < 9.11.13+incompatible≥ 10.0.0-rc1+incompatible, < 10.5.4+incompatible+1 more2025-06-03
CVE-2025-1792 Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server
Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server
Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server
osv
CVE-2024-4195P4LOW≥ 9.5.0, < 9.5.3≥ 8.1.0, < 8.1.122024-04-26
CVE-2024-4195 [LOW] CWE-284 Mattermost allows team admins to promote guests to team admins
Mattermost allows team admins to promote guests to team admins
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.
ghsaosv
CVE-2026-27769P4LOW≥ 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20260316060126-bc1a2b34b1f92026-04-17
CVE-2026-27769 [LOW] CWE-862 Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace
Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace
Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Conn
ghsa
CVE-2025-14573P4LOW≥ 11.1.0≥ 10.11.0+2 more2026-02-16
CVE-2025-14573 [LOW] CWE-862 Mattermost fails to enforce invite permissions when updating team settings
Mattermost fails to enforce invite permissions when updating team settings
Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561
ghsaosv
CVE-2016-11077P4LOW≥ 0, < 3.0.02022-05-24
CVE-2016-11077 [LOW] CWE-732 Mattermost Server allows System Admin to modify LDAP account names and email addresses
Mattermost Server allows System Admin to modify LDAP account names and email addresses
An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.
ghsaosv
CVE-2025-2570P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.12+incompatible≥ 10.5.0+incompatible, < 10.5.3+incompatible2025-05-23
CVE-2025-2570 Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server
Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server
Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server
osv
CVE-2024-1949P4UNKNOWN≥ 9.0.0+incompatible, < 9.4.2+incompatible2024-06-28
CVE-2024-1949 Mattermost race condition in github.com/mattermost/mattermost-server
Mattermost race condition in github.com/mattermost/mattermost-server
Mattermost race condition in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affect
osv
CVE-2025-27538P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.5.0+incompatible, < 10.5.2+incompatible2025-04-22
CVE-2025-27538 Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
osv
CVE-2024-40884P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.8+incompatible≥ 9.10.0+incompatible, < 9.10.1+incompatible2024-08-30
CVE-2024-40884 Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server
Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server
Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server
osv
CVE-2025-27715P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.9+incompatible2025-03-25
CVE-2025-27715 Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server
Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server
Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server
osv
← Previous13 / 13