Github.Com Mattermost Mattermost-Server vulnerabilities

CVE-2025-41423 Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.

CVE-2025-41395 Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks. NOTE: Th

CVE-2025-27571 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

CVE-2025-2564 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

CVE-2025-24839 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

CVE-2025-27936 Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing f

CVE-2025-2424 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

CVE-2025-24866 Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server

CVE-2025-31363 Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server

CVE-2025-27538 Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server

CVE-2025-2475 Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server

CVE-2025-32093 [MEDIUM] CWE-863 Mattermost Fails to Restrict Certain Operations on System Admins Mattermost Fails to Restrict Certain Operations on System Admins Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission val

CVE-2025-27715 Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server

CVE-2025-24920 Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server

CVE-2025-30179 Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server

CVE-2025-25068 Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server

CVE-2025-25274 Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server

CVE-2025-27933 [MEDIUM] CWE-863 Mattermost allows members with permission to convert public channels to private and convert private to public Mattermost allows members with permission to convert public channels to private and convert private to public Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public.

CVE-2025-1472 [MEDIUM] CWE-863 Mattermost Fails to Properly Perform Viewer Role Authorization Mattermost Fails to Properly Perform Viewer Role Authorization Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

CVE-2025-1412 Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server