cbcvebase.

Github.Com Mattermost Mattermost-Server vulnerabilities

250 known vulnerabilities affecting github.com/mattermost_mattermost-server.

Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72

Vulnerabilities

Page 9 of 13
CVE-2024-54682P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.13+incompatible≥ 9.11.0+incompatible, < 9.11.5+incompatible+2 more2024-12-18
CVE-2024-54682 Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2025-10545P4LOW≥ 10.5.0, < 10.5.11≥ 10.11.0, < 10.11.32025-10-16
CVE-2025-10545 [LOW] CWE-863 Mattermost has an Incorrect Authorization vulnerability Mattermost has an Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint
ghsaosv
CVE-2025-41443P4MEDIUM≥ 10.5.0, < 10.5.11≥ 10.11.0, < 10.11.32025-10-16
CVE-2025-41443 [MEDIUM] CWE-862 Mattermost has a Missing Authorization vulnerability Mattermost has a Missing Authorization vulnerability Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint
ghsaosv
CVE-2024-41162P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-41162 Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server
osv
CVE-2024-48872P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.13+incompatible≥ 9.11.0+incompatible, < 9.11.5+incompatible+2 more2024-12-18
CVE-2024-48872 Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2025-41423P4UNKNOWN≥ 9.11.0+incompatible≥ 10.4.0+incompatible+1 more2025-04-24
CVE-2025-41423 Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
osv
CVE-2026-3636P4MEDIUM≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-3636 [MEDIUM] CWE-200 Mattermost doesn't sanitize team member data when returned via API to users without elevated permissions Mattermost doesn't sanitize team member data when returned via API to users without elevated permissions Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members
ghsa
CVE-2026-0999P4MEDIUM≥ 11.1.0≥ 10.11.0+2 more2026-02-16
CVE-2026-0999 [MEDIUM] CWE-303 Mattermost fails to properly validate login method restrictions Mattermost fails to properly validate login method restrictions Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548
ghsaosv
CVE-2026-2463P4MEDIUM≥ 0, < 5.3.2-0.20260105134819-cc427af41b2a≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-2463 [MEDIUM] CWE-862 Mattermost fails to filter invite IDs based on user permissions Mattermost fails to filter invite IDs based on user permissions Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation. Mattermost Advisory ID: MMSA-2025-00565
ghsaosv
CVE-2026-2455P4MEDIUM≥ 0, < 5.3.2-0.20260129133647-5d787969c2d5≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-2455 [MEDIUM] CWE-918 Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1])..
ghsaosv
CVE-2026-2458P4MEDIUM≥ 0, < 5.3.2-0.20260113182106-a18b80ba4c32≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-2458 [MEDIUM] CWE-862 Mattermost allows a removed team member to enumerate all public channels within a private team Mattermost allows a removed team member to enumerate all public channels within a private team Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint. Mattermos
ghsaosv
CVE-2026-24692P4MEDIUM≥ 0, < 5.3.2-0.20260107142155-0481bd1fb045≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-24692 [MEDIUM] CWE-863 Mattermost fails to properly enforce read permissions in search API endpoints Mattermost fails to properly enforce read permissions in search API endpoints Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554
ghsaosv
CVE-2025-13767P4MEDIUM≥ 10.11.0, < 10.11.8≥ 10.12.0, < 10.12.4+2 more2025-12-24
CVE-2025-13767 [MEDIUM] CWE-863 Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with acce
ghsaosv
CVE-2025-41436P4LOW≥ 0, < 11.0.0-alpha.12025-11-14
CVE-2025-41436 [LOW] CWE-863 Mattermost allows regular users to access archived channel content and files Mattermost allows regular users to access archived channel content and files Mattermost versions < 11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
ghsaosv
CVE-2026-4273P4LOW≥ 0, < 5.3.2-0.20260313190740-742e0be950742026-05-18
CVE-2026-4273 [LOW] CWE-863 Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authentic
ghsa
CVE-2024-32046P4MEDIUM≥ 8.1.0, < 8.1.12≥ 9.5.0, < 9.5.3+2 more2024-04-26
CVE-2024-32046 [MEDIUM] CWE-200 Mattermost's detailed error messages reveal the full file path Mattermost's detailed error messages reveal the full file path Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored
ghsaosv
CVE-2016-11084P4MEDIUM≥ 0, < 2.1.02022-05-24
CVE-2016-11084 [MEDIUM] CWE-352 Mattermost Server allows XSS via CSRF Mattermost Server allows XSS via CSRF An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.
ghsaosv
CVE-2024-23488P4UNKNOWN≥ 9.0.0+incompatible, < 9.4.2+incompatible2024-06-28
CVE-2024-23488 Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go
osv
CVE-2026-25783P4MEDIUM≥ 0, < 5.3.2-0.20260129181235-1346cf529aef≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-25783 [MEDIUM] CWE-1287 Mattermost fails to properly validate User-Agent header tokens Mattermost fails to properly validate User-Agent header tokens Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586
ghsaosv
CVE-2024-43780P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.8+incompatible≥ 9.8.0+incompatible, < 9.8.3+incompatible+2 more2024-08-30
CVE-2024-43780 Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server
osv
Github.Com Mattermost Mattermost-Server vulnerabilities | cvebase