Github.Com Mattermost Mattermost Server V8 vulnerabilities
180 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.
Total CVEs
180
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH13MEDIUM117LOW43
Vulnerabilities
Page 3 of 9
CVE-2025-11776MEDIUM≥ 0, < 8.0.0-20250815165020-c8d66301415d2025-11-14
CVE-2025-11776 [MEDIUM] CWE-863 Mattermost fails to properly restrict access to archived channel search API
Mattermost fails to properly restrict access to archived channel search API
Mattermost versions < 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
ghsaosv
CVE-2025-55070MEDIUM≥ 0, < 8.0.0-20250912063506-7d8b7b5e4a602025-11-14
CVE-2025-55070 [MEDIUM] CWE-306 Mattermost does not enforce MFA on WebSocket connections
Mattermost does not enforce MFA on WebSocket connections
Mattermost versions < 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events.
ghsaosv
CVE-2025-41436LOW≥ 0, < 8.0.0-20250815165020-c8d66301415d2025-11-14
CVE-2025-41436 [LOW] CWE-863 Mattermost allows regular users to access archived channel content and files
Mattermost allows regular users to access archived channel content and files
Mattermost versions < 11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
ghsaosv
CVE-2025-11777LOW≥ 0, < 8.0.0-20250905150616-ba86dfc5876b2025-11-13
CVE-2025-11777 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability
Mattermost Incorrect Authorization vulnerability
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.
ghsaosv
CVE-2025-58073HIGH≥ 0, < 8.0.0-20250807174701-e14175eb65392025-10-16
CVE-2025-58073 [HIGH] CWE-862 Mattermost has a Missing Authorization vulnerability
Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.
ghsaosv
CVE-2025-58075HIGH≥ 0, < 8.0.0-20250815100400-2d5cdc6e217e2025-10-16
CVE-2025-58075 [HIGH] CWE-862 Mattermost has a Missing Authorization vulnerability
Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState.
ghsaosv
CVE-2025-41443MEDIUM≥ 0, < 8.0.0-20250822090405-e8c7e7d0252b2025-10-16
CVE-2025-41443 [MEDIUM] CWE-862 Mattermost has a Missing Authorization vulnerability
Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint
ghsaosv
CVE-2025-41410MEDIUM≥ 0, < 8.0.0-20250822083415-01b95392a4502025-10-16
CVE-2025-41410 [MEDIUM] CWE-862 Mattermost has a Missing Authorization vulnerability
Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions.
ghsaosv
CVE-2025-54499LOW≥ 0, < 8.0.0-20250728063359-38208b8f065f2025-10-16
CVE-2025-54499 [LOW] CWE-208 Mattermost has an Observable Timing Discrepancy vulnerability
Mattermost has an Observable Timing Discrepancy vulnerability
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets.
ghsaosv
CVE-2025-10545LOW≥ 0, < 8.0.0-20250820115038-ff30b84049f02025-10-16
CVE-2025-10545 [LOW] CWE-863 Mattermost has an Incorrect Authorization vulnerability
Mattermost has an Incorrect Authorization vulnerability
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint
ghsaosv
CVE-2025-9079HIGH≥ 0, < 8.0.0-20250707221302-a8fa77f107ef2025-09-19
CVE-2025-9079 [HIGH] CWE-22 Mattermost Path Traversal vulnerability
Mattermost Path Traversal vulnerability
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory
ghsaosv
CVE-2025-9081LOW≥ 0, < 8.0.0-20250721095935-11c36f4d1e442025-09-19
CVE-2025-9081 [LOW] CWE-639 Mattermost boards plugin fails to restrict download access to files
Mattermost boards plugin fails to restrict download access to files
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
ghsaosv
CVE-2025-9072HIGH≥ 0, < 8.0.0-20250731063404-9eebaadf8f722025-09-15
CVE-2025-9072 [HIGH] CWE-601 Mattermost Open Redirect vulnerability
Mattermost Open Redirect vulnerability
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL.
ghsaosv
CVE-2025-9076MEDIUM≥ 0, < 8.0.0-20250729073403-517ae758cd022025-09-15
CVE-2025-9076 [MEDIUM] CWE-862 Mattermost Missing Authorization vulnerability
Mattermost Missing Authorization vulnerability
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.
ghsaosv
CVE-2025-9078MEDIUM≥ 0, < 8.0.0-20250718075842-cd87e5c877372025-09-15
CVE-2025-9078 [MEDIUM] CWE-328 Mattermost makes Use of Weak Hash
Mattermost makes Use of Weak Hash
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing.
ghsaosv
CVE-2025-9084LOW≥ 0, < 8.0.0-202508080704-39bd251fe4f6002025-09-15
CVE-2025-9084 [LOW] CWE-601 Mattermost Open Redirect vulnerability
Mattermost Open Redirect vulnerability
Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs.
ghsaosv
CVE-2025-6465MEDIUM≥ 0, < 8.0.0-20250708173752-d6b35c41f0ae52025-08-21
CVE-2025-6465 [MEDIUM] CWE-22 Mattermost Fails to Sanitize File Names
Mattermost Fails to Sanitize File Names
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.
ghsaosv
CVE-2025-47870MEDIUM≥ 0, < 8.0.0-20250708065844-b38e2eccda182025-08-21
CVE-2025-47870 [MEDIUM] CWE-306 Mattermost Does Not Sanitize the Team Invite ID
Mattermost Does Not Sanitize the Team Invite ID
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.
ghsaosv
CVE-2025-49222MEDIUM≥ 0, < 8.0.0-20250708173752-d6b35c41f0ae52025-08-21
CVE-2025-49222 [MEDIUM] CWE-434 Mattermost Fails to Validate Remote Cluster Upload Sessions
Mattermost Fails to Validate Remote Cluster Upload Sessions
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.
ghsaosv
CVE-2025-36530MEDIUM≥ 0, < 8.0.0-20250619095651-9dd0b3943e552025-08-21
CVE-2025-36530 [MEDIUM] CWE-22 Mattermost Fails to Validate File Paths
Mattermost Fails to Validate File Paths
Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.
ghsaosv