Github.Com Mattermost Mattermost Server V8 vulnerabilities
199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.
Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48
Vulnerabilities
Page 2 of 10
CVE-2026-20719P3MEDIUM≥ 11.4.0-rc1, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+3 more2026-03-25
CVE-2026-20719 [MEDIUM] CWE-754 Mattermost: Authenticated DoS through failure to prevent rendering of external SVGs on link embeds
Mattermost: Authenticated DoS through failure to prevent rendering of external SVGs on link embeds
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitH
ghsaosv
CVE-2026-24458P3HIGH≥ 0, < 8.0.0-20260129164748-7201f42d955f2026-03-16
CVE-2026-24458 [HIGH] CWE-770 Mattermost fails to properly handle very long passwords
Mattermost fails to properly handle very long passwords
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587
ghsaosv
CVE-2024-8071P3MEDIUM≥ 9.9.0, < 9.9.2≥ 9.5.0, < 9.5.8+2 more2024-08-22
CVE-2024-8071 [MEDIUM] CWE-284 Mattermost doesn't restrict which roles can promote a user as system admin
Mattermost doesn't restrict which roles can promote a user as system admin
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission,
ghsaosv
CVE-2024-41144P3HIGH≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+3 more2024-08-01
CVE-2024-41144 [HIGH] CWE-284 Mattermost allows remote actor to create/update/delete posts in arbitrary channels
Mattermost allows remote actor to create/update/delete posts in arbitrary channels
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels
ghsaosv
CVE-2025-35965P3MEDIUM≥ 0, < 8.0.0-20250218121836-2b5275d87136≥ 10.4.0+2 more2025-04-24
CVE-2025-35965 [MEDIUM] CWE-770 Mattermost Playbooks fails to validate the uniqueness and quantity of task actions
Mattermost Playbooks fails to validate the uniqueness and quantity of task actions
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts
ghsaosv
CVE-2025-9081P3LOW≥ 0, < 8.0.0-20250721095935-11c36f4d1e442025-09-19
CVE-2025-9081 [LOW] CWE-639 Mattermost boards plugin fails to restrict download access to files
Mattermost boards plugin fails to restrict download access to files
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
ghsaosv
CVE-2025-31363P3LOW≥ 10.5.0, < 10.5.1≥ 10.4.0, < 10.4.3+2 more2025-04-16
CVE-2025-31363 [LOW] CWE-201 Mattermost doesn't restrict domains LLM can request to contact upstream
Mattermost doesn't restrict domains LLM can request to contact upstream
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool.
ghsaosv
CVE-2025-20621P3MEDIUM≥ 10.2.0, < 10.2.1≥ 10.1.0, < 10.1.4+3 more2025-01-16
CVE-2025-20621 [MEDIUM] CWE-1287 Mattermost webapp crash via a crafted post
Mattermost webapp crash via a crafted post
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel.
ghsaosv
CVE-2024-47401P3MEDIUM≥ 0, < 8.0.0-20240926115259-20ed58906adc2024-10-29
CVE-2024-47401 [MEDIUM] CWE-770 Mattermost Server vulnerable to application crash from attacker-generated large response
Mattermost Server vulnerable to application crash from attacker-generated large response
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to cr
ghsaosv
CVE-2025-9076P3MEDIUM≥ 0, < 8.0.0-20250729073403-517ae758cd022025-09-15
CVE-2025-9076 [MEDIUM] CWE-862 Mattermost Missing Authorization vulnerability
Mattermost Missing Authorization vulnerability
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.
ghsaosv
CVE-2026-5163P3MEDIUM≥ 11.5.0, < 11.5.2≥ 0, < 8.0.0-20260401090745-f4d1abe7e8f52026-05-18
CVE-2026-5163 [MEDIUM] CWE-862 Mattermost doesn't verify channel membership when processing AI-assisted message rewrites
Mattermost doesn't verify channel membership when processing AI-assisted message rewrites
Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post r
ghsa
CVE-2023-40703P3MEDIUM≥ 9.1.0, < 9.1.1≥ 9.0.0, < 9.0.2+1 more2023-11-27
CVE-2023-40703 [MEDIUM] CWE-400 Mattermost Uncontrolled Resource Consumption vulnerability
Mattermost Uncontrolled Resource Consumption vulnerability
Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string.
ghsaosv
CVE-2023-48268P3MEDIUM≥ 9.1.0, < 9.1.1≥ 9.0.0, < 9.0.2+1 more2023-11-27
CVE-2023-48268 [MEDIUM] CWE-400 Mattermost Uncontrolled Resource Consumption vulnerability
Mattermost Uncontrolled Resource Consumption vulnerability
Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb).
ghsaosv
CVE-2025-20051P3CRITICAL≥ 0, < 8.0.0-20250122165010-4ed702ccff4e≥ 9.11.0-rc1, < 9.11.8+3 more2025-02-24
CVE-2025-20051 [CRITICAL] CWE-22 Mattermost allows reading arbitrary files
Mattermost allows reading arbitrary files
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.
ghsaosv
CVE-2025-41395P3MEDIUM≥ 0, < 8.0.0-20250218121836-2b5275d87136≥ 10.4.0+2 more2025-04-24
CVE-2025-41395 [MEDIUM] CWE-1287 Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type
Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with malicious
ghsaosv
CVE-2024-39274P3CRITICAL≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+2 more2024-08-01
CVE-2024-39274 [CRITICAL] CWE-284 Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel
Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remot
ghsaosv
CVE-2026-6345P3MEDIUM≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+2 more2026-05-18
CVE-2026-6345 [MEDIUM] CWE-522 Mattermost doesn't prevent disclosure of created user password
Mattermost doesn't prevent disclosure of created user password
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 doesn't prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614
ghsa
CVE-2025-6226P3MEDIUM≥ 0, < 8.0.0-20250520130510-fa40a8c5d47f2025-07-18
CVE-2025-6226 [MEDIUM] CWE-306 Mattermost Missing Authentication for Critical Function
Mattermost Missing Authentication for Critical Function
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.
ghsaosv
CVE-2025-49222P3MEDIUM≥ 0, < 8.0.0-20250708173752-d6b35c41f0ae52025-08-21
CVE-2025-49222 [MEDIUM] CWE-434 Mattermost Fails to Validate Remote Cluster Upload Sessions
Mattermost Fails to Validate Remote Cluster Upload Sessions
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.
ghsaosv
CVE-2025-30179P3MEDIUM≥ 10.4.0, < 10.4.3≥ 10.3.0, < 10.3.4+2 more2025-03-21
CVE-2025-30179 [MEDIUM] CWE-863 Mattermost Fails to Enforce Certain Search APIs
Mattermost Fails to Enforce Certain Search APIs
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.
ghsaosv