Github.Com Mattermost Mattermost-Server vulnerabilities

CVE-2025-58075 [HIGH] CWE-862 Mattermost has a Missing Authorization vulnerability Mattermost has a Missing Authorization vulnerability Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState.

CVE-2025-41410 [MEDIUM] CWE-862 Mattermost has a Missing Authorization vulnerability Mattermost has a Missing Authorization vulnerability Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions.

CVE-2025-41443 [MEDIUM] CWE-862 Mattermost has a Missing Authorization vulnerability Mattermost has a Missing Authorization vulnerability Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint

CVE-2025-54499 [LOW] CWE-208 Mattermost has an Observable Timing Discrepancy vulnerability Mattermost has an Observable Timing Discrepancy vulnerability Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets.

CVE-2025-10545 [LOW] CWE-863 Mattermost has an Incorrect Authorization vulnerability Mattermost has an Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint

CVE-2025-9079 [HIGH] CWE-22 Mattermost Path Traversal vulnerability Mattermost Path Traversal vulnerability Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory

CVE-2025-9081 [LOW] CWE-639 Mattermost boards plugin fails to restrict download access to files Mattermost boards plugin fails to restrict download access to files Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

CVE-2025-9072 [HIGH] CWE-601 Mattermost Open Redirect vulnerability Mattermost Open Redirect vulnerability Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL.

CVE-2025-9076 [MEDIUM] CWE-862 Mattermost Missing Authorization vulnerability Mattermost Missing Authorization vulnerability Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.

CVE-2025-9078 [MEDIUM] CWE-328 Mattermost makes Use of Weak Hash Mattermost makes Use of Weak Hash Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing.

CVE-2025-9084 [LOW] CWE-601 Mattermost Open Redirect vulnerability Mattermost Open Redirect vulnerability Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs.

CVE-2025-8402 [MEDIUM] CWE-476 Mattermost has Potential Server Crash due to Unvalidated Import Data Mattermost has Potential Server Crash due to Unvalidated Import Data Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.

CVE-2025-6465 [MEDIUM] CWE-22 Mattermost Fails to Sanitize File Names Mattermost Fails to Sanitize File Names Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.

CVE-2025-47870 [MEDIUM] CWE-306 Mattermost Does Not Sanitize the Team Invite ID Mattermost Does Not Sanitize the Team Invite ID Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.

CVE-2025-49222 [MEDIUM] CWE-434 Mattermost Fails to Validate Remote Cluster Upload Sessions Mattermost Fails to Validate Remote Cluster Upload Sessions Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.

CVE-2025-36530 [MEDIUM] CWE-22 Mattermost Fails to Validate File Paths Mattermost Fails to Validate File Paths Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

CVE-2025-8023 [MEDIUM] CWE-22 Mattermost Fails to Sanitize Path Traversal Sequences Mattermost Fails to Sanitize Path Traversal Sequences Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.

CVE-2025-47700 [LOW] CWE-918 Mattermost Server SSRF Vulnerability via the Agents Plugin Mattermost Server SSRF Vulnerability via the Agents Plugin Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions

CVE-2025-49810 [LOW] CWE-863 Mattermost Lack of Access Control Validation Mattermost Lack of Access Control Validation Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts

CVE-2025-53971 [LOW] CWE-863 Mattermost Fails to Properly Validate Team Role Modification Mattermost Fails to Properly Validate Team Role Modification Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.