Github.Com Mattermost Mattermost Server V8 vulnerabilities

CVE-2026-3108 [HIGH] CWE-150 Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate

CVE-2026-3112 [MEDIUM] CWE-22 Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLog

CVE-2026-3115 [MEDIUM] CWE-863 Mattermost allows authenticated guest users to enumerate user IDs outside their allowed visibility scope Mattermost allows authenticated guest users to enumerate user IDs outside their allowed visibility scope Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scop

CVE-2026-4274 [MEDIUM] CWE-863 Mattermost has an Incorrect Authorization issue Mattermost has an Incorrect Authorization issue Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team m

CVE-2026-3114 [MEDIUM] CWE-409 Mattermost doesn't validate decompressed archive entry sizes during file extraction Mattermost doesn't validate decompressed archive entry sizes during file extraction Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly

CVE-2026-20719 [MEDIUM] CWE-754 Mattermost: Authenticated DoS through failure to prevent rendering of external SVGs on link embeds Mattermost: Authenticated DoS through failure to prevent rendering of external SVGs on link embeds Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitH

CVE-2026-27659 [MEDIUM] CWE-352 Mattermost doesn't properly validate CSRF tokens Mattermost doesn't properly validate CSRF tokens Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request. Mattermost Advisory ID: MMSA-2026-00578

CVE-2026-27656 [MEDIUM] CWE-303 Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts

CVE-2026-24458 [HIGH] CWE-770 Mattermost fails to properly handle very long passwords Mattermost fails to properly handle very long passwords Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587

CVE-2026-21386 [MEDIUM] CWE-203 Mattermost fails to use consistent error responses when handling the /mute command Mattermost fails to use consistent error responses when handling the /mute command Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent

CVE-2026-2455 [MEDIUM] CWE-918 Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1])..

CVE-2026-2458 [MEDIUM] CWE-862 Mattermost allows a removed team member to enumerate all public channels within a private team Mattermost allows a removed team member to enumerate all public channels within a private team Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint. Mattermos

CVE-2026-24692 [MEDIUM] CWE-863 Mattermost fails to properly enforce read permissions in search API endpoints Mattermost fails to properly enforce read permissions in search API endpoints Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554

CVE-2026-2578 [MEDIUM] CWE-201 Mattermost fails to preserve the redacted state of burn-on-read posts during deletion Mattermost fails to preserve the redacted state of burn-on-read posts during deletion Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event. Mattermost Advisory ID: MMSA-2026-00579

CVE-2026-26246 [MEDIUM] CWE-789 Mattermost fails to bound memory allocation when processing PSD image files Mattermost fails to bound memory allocation when processing PSD image files Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00

CVE-2026-25783 [MEDIUM] CWE-1287 Mattermost fails to properly validate User-Agent header tokens Mattermost fails to properly validate User-Agent header tokens Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586

CVE-2026-25780 [MEDIUM] CWE-789 Mattermost fails to bound memory allocation when processing DOC files Mattermost fails to bound memory allocation when processing DOC files Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Mattermost Advisory ID: MMSA-2026-00581

CVE-2026-2463 [MEDIUM] CWE-862 Mattermost fails to filter invite IDs based on user permissions Mattermost fails to filter invite IDs based on user permissions Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation. Mattermost Advisory ID: MMSA-2025-00565

CVE-2026-2456 [MEDIUM] CWE-789 Mattermost fails to limit the size of responses from integration action endpoints Mattermost fails to limit the size of responses from integration action endpoints Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an

CVE-2026-4265 [MEDIUM] CWE-863 Mattermost fails to validate team-specific upload_file permissions Mattermost fails to validate team-specific upload_file permissions Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a di