Github.Com Mattermost Mattermost-Server vulnerabilities
250 known vulnerabilities affecting github.com/mattermost_mattermost-server.
Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72
Vulnerabilities
Page 2 of 13
CVE-2017-18886P3HIGH≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18886 [HIGH] CWE-732 Mattermost Server does not properly restrict use of slash commands
Mattermost Server does not properly restrict use of slash commands
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands.
ghsaosv
CVE-2017-18885P3CRITICAL≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18885 [CRITICAL] CWE-269 Mattermost Server allows attackers to gain privileges by accessing unintended API endpoints with users' credentials
Mattermost Server allows attackers to gain privileges by accessing unintended API endpoints with users' credentials
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf.
ghsaosv
CVE-2026-5740P3HIGH≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-5740 [HIGH] CWE-789 Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation
Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service o
ghsa
CVE-2017-18883P3MEDIUM≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18883 [MEDIUM] CWE-331 Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider
Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.
ghsaosv
CVE-2017-18911P3CRITICAL≥ 0, < 3.6.7-rc1≥ 3.7.0, < 3.7.5+1 more2022-05-24
CVE-2017-18911 [CRITICAL] CWE-295 Mattermost Server has X.509 Improper Certificate Validation
Mattermost Server has X.509 Improper Certificate Validation
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.
ghsaosv
CVE-2026-6347P3HIGH≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+1 more2026-05-18
CVE-2026-6347 [HIGH] CWE-200 Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin
Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the expo
ghsa
CVE-2024-40886P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.8+incompatible≥ 9.8.0+incompatible, < 9.8.3+incompatible+2 more2024-08-30
CVE-2024-40886 Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server
Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server
Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2026-3473P3HIGH≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-3473 [HIGH] CWE-639 Mattermost doesn't validate file ownership and access control
Mattermost doesn't validate file ownership and access control
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs. Mattermost Advisory ID: MMSA-2026-00620.
ghsa
CVE-2024-39832P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-39832 Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
osv
CVE-2017-18884P3CRITICAL≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18884 [CRITICAL] CWE-269 Mattermost Server exposes OAuth personal access tokens to attackers
Mattermost Server exposes OAuth personal access tokens to attackers
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.
ghsaosv
CVE-2017-18906P3HIGH≥ 0, < 3.9.2-0.20170714134023-b17fca0d5ee7≥ 3.10.0, < 3.10.22022-05-24
CVE-2017-18906 [HIGH] CWE-613 Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used
Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.
ghsaosv
CVE-2026-24458P3HIGH≥ 0, < 5.3.2-0.20260129164748-7201f42d955f≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-24458 [HIGH] CWE-770 Mattermost fails to properly handle very long passwords
Mattermost fails to properly handle very long passwords
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587
ghsaosv
CVE-2016-11066P3HIGH≥ 0, < 3.1.12022-05-24
CVE-2016-11066 [HIGH] CWE-200 Mattermost Server: initial_load API exposes unnecessary information
Mattermost Server: initial_load API exposes unnecessary information
An issue was discovered in Mattermost Server before 3.1.1. The initial_load API disclosed unnecessary personal information.
ghsaosv
CVE-2024-8071P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.8+incompatible≥ 9.8.0+incompatible, < 9.8.3+incompatible+2 more2024-08-30
CVE-2024-8071 Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server
Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server
Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server
osv
CVE-2026-5308P3HIGH≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-5308 [HIGH] CWE-400 Mattermost doesn't enforce request body size limits on plugin HTTP endpoints
Mattermost doesn't enforce request body size limits on plugin HTTP endpoints
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
ghsa
CVE-2024-41144P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-41144 Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
osv
CVE-2025-35965P3UNKNOWN≥ 9.11.0+incompatible≥ 10.4.0+incompatible+1 more2025-04-24
CVE-2025-35965 Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks
Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks
Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks.
NOTE: The source advisory for this report contains additional versions tha
osv
CVE-2025-9081P3LOW≥ 10.5.0-rc1, < 10.5.9≥ 9.11.0-rc1, < 9.11.182025-09-19
CVE-2025-9081 [LOW] CWE-639 Mattermost boards plugin fails to restrict download access to files
Mattermost boards plugin fails to restrict download access to files
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
ghsaosv
CVE-2025-31363P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.4.0+incompatible, < 10.4.3+incompatible+1 more2025-04-22
CVE-2025-31363 Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server
Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server
Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server
osv
CVE-2017-18894P3HIGH≥ 0, < 4.0.5≥ 4.1.0, < 4.1.1+1 more2022-05-24
CVE-2017-18894 [HIGH] CWE-639 Mattermost Server has intermittent Authorization bypass for resource-owners
Mattermost Server has intermittent Authorization bypass for resource-owners
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Resource-owner authorization can be intermittently bypassed, allowing account takeover.
ghsaosv