Github.Com Mattermost Mattermost-Server vulnerabilities
250 known vulnerabilities affecting github.com/mattermost_mattermost-server.
Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72
Vulnerabilities
Page 4 of 13
CVE-2026-26233P3MEDIUM≥ 11.4.0-rc1, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+2 more2026-03-25
CVE-2026-26233 [MEDIUM] CWE-400 Mattermost doesn't rate limit login requests, allowing DoS
Mattermost doesn't rate limit login requests, allowing DoS
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566
ghsaosv
CVE-2025-41410P3MEDIUM≥ 10.10.0, < 10.10.3≥ 10.5.0, < 10.5.11+1 more2025-10-16
CVE-2025-41410 [MEDIUM] CWE-862 Mattermost has a Missing Authorization vulnerability
Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions.
ghsaosv
CVE-2026-5755P3MEDIUM≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-5755 [MEDIUM] CWE-400 Mattermost doesn't validate the TIFF IFD offset in the image header before allocating memory
Mattermost doesn't validate the TIFF IFD offset in the image header before allocating memory
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a den
ghsa
CVE-2026-6340P3MEDIUM≥ 0, < 5.3.2-0.20260325191733-fb11968f87982026-05-18
CVE-2026-6340 [MEDIUM] CWE-789 Mattermost doesn't validate 7zip archive structure before processing
Mattermost doesn't validate 7zip archive structure before processing
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory
ghsa
CVE-2024-2447P3UNKNOWN≥ 9.3.0+incompatible, < 9.3.3+incompatible≥ 9.4.0+incompatible, < 9.4.4+incompatible+1 more2024-06-05
CVE-2024-2447 Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard G
osv
CVE-2017-18917P4HIGH≥ 0, < 3.7.5-0.20170421192444-247cd1e51a8c≥ 3.8.0, < 3.8.22022-05-24
CVE-2017-18917 [HIGH] CWE-328 Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations
Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations
An issue was discovered in Mattermost Server before 3.8.2 and 3.7.5. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.
ghsaosv
CVE-2025-20033P4UNKNOWN≥ 10.0.0+incompatible, < 10.0.4+incompatible≥ 10.1.0+incompatible, < 10.1.4+incompatible+1 more2025-01-09
CVE-2025-20033 Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versi
osv
CVE-2025-20088P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.6+incompatible≥ 10.0.0+incompatible, < 10.0.4+incompatible+2 more2025-01-16
CVE-2025-20088 Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
osv
CVE-2024-22091P4LOW≥ 8.1.0, < 8.1.12≥ 9.5.0, < 9.5.3+1 more2024-04-26
CVE-2024-22091 [LOW] CWE-400 Mattermost fails to limit the size of a request path
Mattermost fails to limit the size of a request path
Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths
ghsaosv
CVE-2025-20086P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.6+incompatible≥ 10.0.0+incompatible, < 10.0.4+incompatible+2 more2025-01-16
CVE-2025-20086 Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
osv
CVE-2026-4915P4MEDIUM≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-4915 [MEDIUM] CWE-754 Mattermost doesn't filter nil elements from outgoing webhook attachment payloads before processing
Mattermost doesn't filter nil elements from outgoing webhook attachment payloads before processing
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termina
ghsa
CVE-2024-39836P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.8+incompatible≥ 9.8.0+incompatible, < 9.8.3+incompatible+2 more2024-08-30
CVE-2024-39836 Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
osv
CVE-2026-4054P4MEDIUM≥ 11.5.0, < 11.5.2≥ 0.0.0-20250731163400-5b955468ea1e, < 0.0.0-20260414103857-b21ef302025e+1 more2026-05-15
CVE-2026-4054 [MEDIUM] CWE-754 Mattermost doesn't validate the response body of proxied images
Mattermost doesn't validate the response body of proxied images
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header (e.g. image/png) embedded in an og:image meta tag or Markdow
ghsa
CVE-2022-1982P4MEDIUM≥ 6.6.0, < 6.6.1≥ 6.5.0, < 6.5.1+2 more2022-06-03
CVE-2022-1982 [MEDIUM] CWE-400 Uncontrolled Resource Consumption in Mattermost server
Uncontrolled Resource Consumption in Mattermost server
Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.
ghsaosv
CVE-2024-24988P4UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible2024-06-28
CVE-2024-24988 Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server
Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server
Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from
osv
CVE-2023-1775P4MEDIUM≥ 3.3.0, < 7.1.6≥ 7.7.0, < 7.7.2+1 more2023-03-31
CVE-2023-1775 [MEDIUM] CWE-668 Mattermost vulnerable to information disclosure
Mattermost vulnerable to information disclosure
When running in a High Availability configuration, Mattermost fails to sanitize some of the `user_updated` and` post_deleted` events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.
[Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00138
ghsaosv
CVE-2024-28053P4LOW≥ 0, < 0.0.0-20240209181221-674f549daf0e2024-03-15
CVE-2024-28053 [LOW] CWE-400 Mattermost Server Resource Exhaustion
Mattermost Server Resource Exhaustion
Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.
ghsaosv
CVE-2024-23493P4UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible+1 more2024-06-28
CVE-2024-23493 Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server
Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server
Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from
osv
CVE-2026-27656P4MEDIUM≥ 11.4.0-rc1, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+2 more2026-03-25
CVE-2026-27656 [MEDIUM] CWE-303 Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw
Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts
ghsaosv
CVE-2017-18874P4MEDIUM≥ 0, < 4.1.2-0.20171004201910-6be8113eb60≥ 4.2.0-rc1, < 4.2.1-0.20171004194140-6d3cb2ce07fc+1 more2022-05-24
CVE-2017-18874 [MEDIUM] CWE-22 Mattermost Server is vulnerable to Directory Traversal by System Admins
Mattermost Server is vulnerable to Directory Traversal by System Admins
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal.
ghsaosv