Github.Com Mattermost Mattermost Server V8 vulnerabilities

CVE-2026-2457 [MEDIUM] CWE-346 Mattermost allows attackers to spoof permalink embeds Mattermost allows attackers to spoof permalink embeds Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint. Mattermost Advisory ID: MMSA-2025-00569

CVE-2026-22545 [LOW] CWE-863 Mattermost fails to validate user's authentication method when processing account auth type switch Mattermost fails to validate user's authentication method when processing account auth type switch Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermos

CVE-2025-13821 [MEDIUM] CWE-200 Mattermost fails to sanitize sensitive data in WebSocket messages Mattermost fails to sanitize sensitive data in WebSocket messages Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

CVE-2025-14350 [MEDIUM] CWE-862 Mattermost fails to properly validate team membership when processing channel mentions Mattermost fails to properly validate team membership when processing channel mentions Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the chann

CVE-2026-0999 [MEDIUM] CWE-303 Mattermost fails to properly validate login method restrictions Mattermost fails to properly validate login method restrictions Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548

CVE-2025-14573 [LOW] CWE-862 Mattermost fails to enforce invite permissions when updating team settings Mattermost fails to enforce invite permissions when updating team settings Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

CVE-2025-13767 [MEDIUM] CWE-863 Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with acce

CVE-2025-64641 [MEDIUM] CWE-863 Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Ji

CVE-2025-14273 [HIGH] CWE-303 Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated

CVE-2025-13324 [MEDIUM] CWE-863 Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation Mattermost versions 10.11.x < 10.11.5, 11.0.x < 11.0.4, 10.12.x < 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to

CVE-2025-62690 [LOW] CWE-601 Mattermost has missing redirect URL validation Mattermost has missing redirect URL validation Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab.

CVE-2025-13352 [LOW] CWE-1287 Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via craft

CVE-2025-13870 [LOW] CWE-284 Mattermost fails to validate user permissions in Boards Mattermost fails to validate user permissions in Boards Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to

CVE-2025-12756 [MEDIUM] CWE-863 Mattermost fails to validate user permissions when deleting comments in Boards Mattermost fails to validate user permissions when deleting comments in Boards Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.

CVE-2025-12419 [CRITICAL] CWE-287 Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account vi

CVE-2025-12421 [CRITICAL] CWE-287 Mattermost fails to to verify the token used during code exchange Mattermost fails to to verify the token used during code exchange Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authent

CVE-2025-12559 [MEDIUM] CWE-200 Mattermost fails to sanitize team email addresses Mattermost fails to sanitize team email addresses Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint

CVE-2025-55074 [LOW] CWE-276 Mattermost allows other users to determine when users had read channels via channel member objects Mattermost allows other users to determine when users had read channels via channel member objects Mattermost versions 10.11.x <= 10.11.3, and 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects.

CVE-2025-11794 [MEDIUM] CWE-200 Mattermost allows system administrators to access password hashes and MFA secrets Mattermost allows system administrators to access password hashes and MFA secrets Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint

CVE-2025-55073 [MEDIUM] CWE-306 Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth re