Github.Com Mattermost Mattermost-Server vulnerabilities
250 known vulnerabilities affecting github.com/mattermost_mattermost-server.
Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72
Vulnerabilities
Page 3 of 13
CVE-2025-20621P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.6+incompatible≥ 10.0.0+incompatible, < 10.0.4+incompatible+2 more2025-01-17
CVE-2025-20621 Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server
Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server
Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server
osv
CVE-2025-9076P3MEDIUM≥ 10.10.0, < 10.10.22025-09-15
CVE-2025-9076 [MEDIUM] CWE-862 Mattermost Missing Authorization vulnerability
Mattermost Missing Authorization vulnerability
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.
ghsaosv
CVE-2026-5163P3MEDIUM≥ 0, < 5.3.2-0.20260401090745-f4d1abe7e8f52026-05-18
CVE-2026-5163 [MEDIUM] CWE-862 Mattermost doesn't verify channel membership when processing AI-assisted message rewrites
Mattermost doesn't verify channel membership when processing AI-assisted message rewrites
Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post r
ghsa
CVE-2025-20051P3UNKNOWN≥ 9.11.0-rc1+incompatible, < 9.11.8+incompatible≥ 10.2.0-rc1+incompatible, < 10.2.3+incompatible+2 more2025-03-03
CVE-2025-20051 Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server
Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server
Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server
osv
CVE-2025-41395P3UNKNOWN≥ 9.11.0+incompatible≥ 10.4.0+incompatible+1 more2025-04-24
CVE-2025-41395 Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks
Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks
Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks.
NOTE: Th
osv
CVE-2024-39274P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-39274 Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
osv
CVE-2026-6345P3MEDIUM≥ 0, < 5.3.2-0.20260311102650-3057ae7e83e92026-05-18
CVE-2026-6345 [MEDIUM] CWE-522 Mattermost doesn't prevent disclosure of created user password
Mattermost doesn't prevent disclosure of created user password
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 doesn't prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614
ghsa
CVE-2025-6226P3MEDIUM≥ 10.5.0, < 10.5.7≥ 10.8.0, < 10.8.2+2 more2025-07-18
CVE-2025-6226 [MEDIUM] CWE-306 Mattermost Missing Authentication for Critical Function
Mattermost Missing Authentication for Critical Function
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.
ghsaosv
CVE-2025-49222P3MEDIUM≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+3 more2025-08-21
CVE-2025-49222 [MEDIUM] CWE-434 Mattermost Fails to Validate Remote Cluster Upload Sessions
Mattermost Fails to Validate Remote Cluster Upload Sessions
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.
ghsaosv
CVE-2026-2325P3MEDIUM≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+1 more2026-05-18
CVE-2026-2325 [MEDIUM] CWE-770 Mattermost doesn't limit the size of the request body on the start meeting API endpoint
Mattermost doesn't limit the size of the request body on the start meeting API endpoint
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/a
ghsa
CVE-2017-18909P3HIGH≥ 0, < 3.8.1-0.20170504181128-4f074fed0d652022-05-24
CVE-2017-18909 [HIGH] CWE-311 Mattermost Server SAML implementation does not require encryption or signature verification as default
Mattermost Server SAML implementation does not require encryption or signature verification as default
An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.
ghsaosv
CVE-2024-4183P3MEDIUM≥ 9.6.0-rc1, < 9.6.1≥ 9.5.0, < 9.5.3+2 more2024-04-26
CVE-2024-4183 [MEDIUM] CWE-400 Mattermost fails to limit the number of active sessions
Mattermost fails to limit the number of active sessions
Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.
ghsaosv
CVE-2017-18903P3HIGH≥ 0, < 3.9.2≥ 3.10.0-rc1, < 3.10.22022-05-24
CVE-2017-18903 [HIGH] CWE-352 Mattermost Server vulnerable to CSRF if CORS is enabled
Mattermost Server vulnerable to CSRF if CORS is enabled
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.
ghsaosv
CVE-2025-14822P3LOW≥ 10.11.0, < 10.11.9≥ 11.0.0, < 11.2.02026-01-16
CVE-2025-14822 [LOW] CWE-407 Mattermost is vulnerable to CPU exhaustion via crafted HTTP request
Mattermost is vulnerable to CPU exhaustion via crafted HTTP request
Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.
ghsaosv
CVE-2025-30179P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.9+incompatible≥ 10.3.0+incompatible, < 10.3.4+incompatible+2 more2025-03-25
CVE-2025-30179 Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server
Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server
Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server
osv
CVE-2025-14435P3MEDIUM≥ 10.11.0, < 10.11.9≥ 11.1.0, < 11.1.2+1 more2026-01-16
CVE-2025-14435 [MEDIUM] CWE-770 Mattermost is vulnerable to DoS due to infinite re-renders on API errors
Mattermost is vulnerable to DoS due to infinite re-renders on API errors
Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.
ghsaosv
CVE-2026-3590P3MEDIUM≥ 10.11.0-rc1, < 10.11.13≥ 11.5.0-rc1, < 11.5.0+2 more2026-04-17
CVE-2026-3590 [MEDIUM] CWE-367 Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement
Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple i
ghsa
CVE-2016-11069P3HIGH≥ 0, < 3.2.02022-05-24
CVE-2016-11069 [HIGH] CWE-799 Mattermost Server does not enforce rate limits on password change attempts
Mattermost Server does not enforce rate limits on password change attempts
An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.
ghsaosv
CVE-2024-54083P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.13+incompatible≥ 9.11.0+incompatible, < 9.11.5+incompatible+2 more2024-12-18
CVE-2024-54083 Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2025-21088P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.6+incompatible≥ 10.0.0+incompatible, < 10.0.4+incompatible+2 more2025-01-16
CVE-2025-21088 Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server
Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server
Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server
osv