Github.Com Mattermost Mattermost-Server vulnerabilities

CVE-2025-6233 [MEDIUM] CWE-22 Mattermost Path Traversal vulnerability Mattermost Path Traversal vulnerability Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.

CVE-2025-6226 [MEDIUM] CWE-306 Mattermost Missing Authentication for Critical Function Mattermost Missing Authentication for Critical Function Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.

CVE-2025-6227 [LOW] CWE-522 Mattermost has Insufficiently Protected Credentials Mattermost has Insufficiently Protected Credentials Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.

CVE-2025-46702 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via th

CVE-2025-47871 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display nam

CVE-2025-4981 [CRITICAL] CWE-427 Mattermost allows authenticated users to write files to arbitrary locations Mattermost allows authenticated users to write files to arbitrary locations Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenam

CVE-2025-3227 [MEDIUM] CWE-863 Mattermost allows unauthorized channel member management through playbook runs Mattermost allows unauthorized channel member management through playbook runs Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and pri

CVE-2025-3228 [MEDIUM] CWE-863 Mattermost allows an unauthorized Guest user access to Playbook Mattermost allows an unauthorized Guest user access to Playbook Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.

CVE-2025-4573 [MEDIUM] CWE-90 Mattermost allows authenticated administrator to execute LDAP search filter injection Mattermost allows authenticated administrator to execute LDAP search filter injection Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT

CVE-2025-4128 [LOW] CWE-863 Mattermost allows guest users to view information about public teams they are not members of Mattermost allows guest users to view information about public teams they are not members of Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.

CVE-2025-3913 Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server

CVE-2025-2571 Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server

CVE-2025-3611 Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server

CVE-2025-3230 Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server

CVE-2025-1792 Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server

CVE-2025-2527 Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server

CVE-2025-2570 Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server

CVE-2025-31947 Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server

CVE-2025-3446 Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server

CVE-2025-35965 Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks. NOTE: The source advisory for this report contains additional versions tha