Github.Com Mattermost Mattermost Server V8 vulnerabilities
199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.
Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48
Vulnerabilities
Page 1 of 10
CVE-2025-12419P2CRITICAL≥ 0, < 8.0.0-20251028000919-d3ed703dc8332025-11-27
CVE-2025-12419 [CRITICAL] CWE-287 Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication
Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication
Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account vi
ghsaosv
CVE-2025-12421P2CRITICAL≥ 0, < 8.0.0-20251022210333-acda1fb5dd462025-11-27
CVE-2025-12421 [CRITICAL] CWE-287 Mattermost fails to to verify the token used during code exchange
Mattermost fails to to verify the token used during code exchange
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authent
ghsaosv
CVE-2025-4981P2CRITICAL≥ 0, < 8.0.0-20250519205859-65aec10162f6≥ 10.5.0, < 10.5.6+4 more2025-06-20
CVE-2025-4981 [CRITICAL] CWE-427 Mattermost allows authenticated users to write files to arbitrary locations
Mattermost allows authenticated users to write files to arbitrary locations
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenam
ghsaosv
CVE-2025-25279P2CRITICAL≥ 0, < 8.0.0-20250122165010-4ed702ccff4e≥ 9.11.0-rc1, < 9.11.8+3 more2025-02-24
CVE-2025-25279 [CRITICAL] CWE-22 Mattermost allows reading arbitrary files related to importing boards
Mattermost allows reading arbitrary files related to importing boards
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.
ghsaosv
CVE-2026-3108P3HIGH≥ 11.4.0-rc1, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+3 more2026-03-26
CVE-2026-3108 [HIGH] CWE-150 Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences
Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate
ghsaosv
CVE-2025-14273P3HIGH≥ 0, < 8.0.0-20251121122154-b57c297c6d7a2025-12-22
CVE-2025-14273 [HIGH] CWE-303 Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm
Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated
ghsaosv
CVE-2024-39777P3CRITICAL≥ 9.9.0, < 9.9.1≥ 9.5.0, < 9.5.7+2 more2024-08-01
CVE-2024-39777 [CRITICAL] CWE-284 Mattermost allows unsolicited invites to expose access to local channels
Mattermost allows unsolicited invites to expose access to local channels
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then b
ghsaosv
CVE-2025-25274P3MEDIUM≥ 10.4.0, < 10.4.3≥ 10.3.0, < 10.3.4+2 more2025-03-21
CVE-2025-25274 [MEDIUM] CWE-77 Mattermost Fails to Restrict Command Execution in Archived Channels
Mattermost Fails to Restrict Command Execution in Archived Channels
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
ghsaosv
CVE-2025-25068P3HIGH≥ 10.4.0, < 10.4.3≥ 10.3.0, < 10.3.4+2 more2025-03-21
CVE-2025-25068 [HIGH] CWE-306 Mattermost Fails to Enforce MFA on Plugin Endpoints
Mattermost Fails to Enforce MFA on Plugin Endpoints
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.
ghsaosv
CVE-2025-58073P3HIGH≥ 0, < 8.0.0-20250807174701-e14175eb65392025-10-16
CVE-2025-58073 [HIGH] CWE-862 Mattermost has a Missing Authorization vulnerability
Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.
ghsaosv
CVE-2025-58075P3HIGH≥ 0, < 8.0.0-20250815100400-2d5cdc6e217e2025-10-16
CVE-2025-58075 [HIGH] CWE-862 Mattermost has a Missing Authorization vulnerability
Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState.
ghsaosv
CVE-2026-6346P3HIGH≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+2 more2026-05-18
CVE-2026-6346 [HIGH] CWE-200 Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation
Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a suppo
ghsa
CVE-2023-6458P3HIGH≥ 0, < 8.1.5≥ 9.0.0, < 9.0.32023-12-06
CVE-2023-6458 [HIGH] CWE-22 Mattermost Injection vulnerability
Mattermost Injection vulnerability
Mattermost webapp fails to validate route parameters in//channels/ allowing an attacker to perform a client-side path traversal.
ghsaosv
CVE-2025-9079P3HIGH≥ 0, < 8.0.0-20250707221302-a8fa77f107ef2025-09-19
CVE-2025-9079 [HIGH] CWE-22 Mattermost Path Traversal vulnerability
Mattermost Path Traversal vulnerability
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory
ghsaosv
CVE-2025-1412P3LOW≥ 0, < 8.0.0-20241217145510-faa7e4f2ea0c≥ 10.4.0-rc1, < 10.4.2+1 more2025-02-24
CVE-2025-1412 [LOW] CWE-384 Mattermost fails to invalidate all active sessions when converting a user to a bot
Mattermost fails to invalidate all active sessions when converting a user to a bot
Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.
ghsaosv
CVE-2025-55070P3MEDIUM≥ 0, < 8.0.0-20250912063506-7d8b7b5e4a602025-11-14
CVE-2025-55070 [MEDIUM] CWE-306 Mattermost does not enforce MFA on WebSocket connections
Mattermost does not enforce MFA on WebSocket connections
Mattermost versions < 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events.
ghsaosv
CVE-2026-5740P3HIGH≥ 0, < 8.0.0-20260410202636-17939826efa22026-05-26
CVE-2026-5740 [HIGH] CWE-789 Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation
Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service o
ghsa
CVE-2026-28741P3MEDIUM≥ 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20260220133927-c29cf05d40f8≥ 11.5.0-rc1, < 11.5.0+2 more2026-04-17
CVE-2026-28741 [MEDIUM] CWE-352 Mattermost doesn't validate CSRF tokens on an authentication endpoint
Mattermost doesn't validate CSRF tokens on an authentication endpoint
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625
ghsa
CVE-2024-40886P3MEDIUM≥ 9.9.0, < 9.9.2≥ 9.5.0, < 9.5.8+2 more2024-08-22
CVE-2024-40886 [MEDIUM] CWE-352 Mattermost Cross-Site Request Forgery vulnerability
Mattermost Cross-Site Request Forgery vulnerability
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system console.
ghsaosv
CVE-2024-39832P3MEDIUM≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+2 more2024-08-01
CVE-2024-39832 [MEDIUM] CWE-754 Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling
Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled.
ghsaosv
1 / 10Next →