Github.Com Mattermost Mattermost-Server vulnerabilities

CVE-2025-14573 [LOW] CWE-862 Mattermost fails to enforce invite permissions when updating team settings Mattermost fails to enforce invite permissions when updating team settings Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

CVE-2026-22892 [MEDIUM] CWE-863 Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels th

CVE-2026-20796 [LOW] CWE-367 Mattermost doesn't properly validate channel membership at the time of data retrieval Mattermost doesn't properly validate channel membership at the time of data retrieval Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549

CVE-2025-14435 [MEDIUM] CWE-770 Mattermost is vulnerable to DoS due to infinite re-renders on API errors Mattermost is vulnerable to DoS due to infinite re-renders on API errors Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.

CVE-2025-14822 [LOW] CWE-407 Mattermost is vulnerable to CPU exhaustion via crafted HTTP request Mattermost is vulnerable to CPU exhaustion via crafted HTTP request Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.

CVE-2025-64641 [MEDIUM] CWE-863 Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Ji

CVE-2025-13767 [MEDIUM] CWE-863 Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with acce

CVE-2025-13352 Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost. NOTE: The source advisory for this report contains additional versions that c

CVE-2025-13324 [MEDIUM] CWE-863 Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation Mattermost versions 10.11.x < 10.11.5, 11.0.x < 11.0.4, 10.12.x < 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to

CVE-2025-12419 [CRITICAL] CWE-287 Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account vi

CVE-2025-12421 [CRITICAL] CWE-287 Mattermost fails to to verify the token used during code exchange Mattermost fails to to verify the token used during code exchange Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authent

CVE-2025-12559 [MEDIUM] CWE-200 Mattermost fails to sanitize team email addresses Mattermost fails to sanitize team email addresses Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint

CVE-2025-55074 [LOW] CWE-276 Mattermost allows other users to determine when users had read channels via channel member objects Mattermost allows other users to determine when users had read channels via channel member objects Mattermost versions 10.11.x <= 10.11.3, and 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects.

CVE-2025-11794 [MEDIUM] CWE-200 Mattermost allows system administrators to access password hashes and MFA secrets Mattermost allows system administrators to access password hashes and MFA secrets Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint

CVE-2025-55073 [MEDIUM] CWE-306 Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth re

CVE-2025-55070 [MEDIUM] CWE-306 Mattermost does not enforce MFA on WebSocket connections Mattermost does not enforce MFA on WebSocket connections Mattermost versions < 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events.

CVE-2025-11776 [MEDIUM] CWE-863 Mattermost fails to properly restrict access to archived channel search API Mattermost fails to properly restrict access to archived channel search API Mattermost versions < 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint

CVE-2025-41436 [LOW] CWE-863 Mattermost allows regular users to access archived channel content and files Mattermost allows regular users to access archived channel content and files Mattermost versions < 11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads

CVE-2025-11777 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.

CVE-2025-58073 [HIGH] CWE-862 Mattermost has a Missing Authorization vulnerability Mattermost has a Missing Authorization vulnerability Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.