cbcvebase.

Github.Com Mattermost Mattermost Server V8 vulnerabilities

199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.

Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48

Vulnerabilities

Page 10 of 10
CVE-2024-32939P4MEDIUM≥ 9.9.0, < 9.9.2≥ 9.5.0, < 9.5.8+2 more2024-08-22
CVE-2024-32939 [MEDIUM] CWE-284 Mattermost doesn't redact remote users' original email addresses Mattermost doesn't redact remote users' original email addresses Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server.
ghsaosv
CVE-2025-53971P4LOW≥ 0, < 8.0.0-20250721095846-c602a4a78e1f2025-08-21
CVE-2025-53971 [LOW] CWE-863 Mattermost Fails to Properly Validate Team Role Modification Mattermost Fails to Properly Validate Team Role Modification Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.
ghsaosv
CVE-2025-47700P4LOW≥ 0, < 8.0.0-20250814075248-83a37a861d3c2025-08-21
CVE-2025-47700 [LOW] CWE-918 Mattermost Server SSRF Vulnerability via the Agents Plugin Mattermost Server SSRF Vulnerability via the Agents Plugin Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions
ghsaosv
CVE-2025-13352P4LOW≥ 10.11.0-rc1, < 10.11.7-0.20251106103514-3b05384dd0142025-12-17
CVE-2025-13352 [LOW] CWE-1287 Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via craft
ghsaosv
CVE-2025-22449P4LOW≥ 9.11.0, < 9.11.6≥ 0, < 8.0.0-20250102081831-64c566a8280b2025-01-09
CVE-2025-22449 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.
ghsaosv
CVE-2025-6227P4LOW≥ 0, < 8.0.0-20250612074655-8f8612c637832025-07-18
CVE-2025-6227 [LOW] CWE-522 Mattermost has Insufficiently Protected Credentials Mattermost has Insufficiently Protected Credentials Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.
ghsaosv
CVE-2025-55074P4LOW≥ 0, < 8.0.0-20250905150616-ba86dfc5876b62025-11-18
CVE-2025-55074 [LOW] CWE-276 Mattermost allows other users to determine when users had read channels via channel member objects Mattermost allows other users to determine when users had read channels via channel member objects Mattermost versions 10.11.x <= 10.11.3, and 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects.
ghsaosv
CVE-2024-10214P4LOW≥ 0, < 8.0.0-20240821220019-0d6b1070a26f2024-10-28
CVE-2024-10214 [LOW] CWE-303 Mattermost incorrectly issues two sessions when using desktop SSO Mattermost incorrectly issues two sessions when using desktop SSO Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 incorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.
ghsaosv
CVE-2024-21848P4LOW≥ 0, < 8.1.112024-04-05
CVE-2024-21848 [LOW] CWE-273 Mattermost Server Improper Access Control Mattermost Server Improper Access Control Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel
ghsaosv
CVE-2025-24866P4LOW≥ 9.11.0, < 9.11.9≥ 0, < 8.0.0-20250204211032-f52e08754c492025-04-10
CVE-2025-24866 [LOW] CWE-863 Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs.
ghsaosv
CVE-2025-1792P4LOW≥ 10.6.0-rc1, < 10.7.1≥ 10.0.0-rc1, < 10.5.4+2 more2025-05-30
CVE-2025-1792 [LOW] CWE-863 Mattermost fails to properly enforce access controls for guest users Mattermost fails to properly enforce access controls for guest users Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.
ghsaosv
CVE-2025-14573P4LOW≥ 0, < 8.0.0-20251215190648-6404ab29acc02026-02-16
CVE-2025-14573 [LOW] CWE-862 Mattermost fails to enforce invite permissions when updating team settings Mattermost fails to enforce invite permissions when updating team settings Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561
ghsaosv
CVE-2025-2570P4LOW≥ 10.5.0, < 10.5.3≥ 9.11.0, < 9.11.12+1 more2025-05-15
CVE-2025-2570 [LOW] CWE-863 Mattermost Fails to Check User Access to `ExperimentalSettings` Mattermost Fails to Check User Access to `ExperimentalSettings` Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console.
ghsaosv
CVE-2024-1949P4LOW≥ 9.0.0, < 9.4.2≥ 0, < 8.1.92024-02-29
CVE-2024-1949 [LOW] CWE-200 Mattermost race condition Mattermost race condition A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts.
ghsaosv
CVE-2025-27538P4LOW≥ 10.5.0, < 10.5.2≥ 9.11.0, < 9.11.10+1 more2025-04-16
CVE-2025-27538 [LOW] CWE-306 Mattermost Missing Authentication for Critical Function Mattermost Missing Authentication for Critical Function Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.
ghsaosv
CVE-2023-5193P4LOW≥ 8.1.0, < 8.1.1≥ 8.0.0, < 8.0.22023-09-29
CVE-2023-5193 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.
ghsaosv
CVE-2024-40884P4MEDIUM≥ 9.5.0, < 9.5.8≥ 9.10.0, < 9.10.12024-08-22
CVE-2024-40884 [MEDIUM] CWE-284 Mattermost allows team admin user without "Add Team Members" permission to disable invite URL Mattermost allows team admin user without "Add Team Members" permission to disable invite URL Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.
ghsaosv
CVE-2023-5159P4LOW≥ 8.1.0, < 8.1.1≥ 8.0.0, < 8.0.22023-09-29
CVE-2023-5159 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.
ghsaosv
CVE-2025-27715P4LOW≥ 9.11.0, < 9.11.92025-03-21
CVE-2025-27715 [LOW] CWE-863 Mattermost fail to prompt for explicit approval before adding a team admin to a private channel Mattermost fail to prompt for explicit approval before adding a team admin to a private channel Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.
ghsaosv
Github.Com Mattermost Mattermost Server V8 vulnerabilities | cvebase