Github.Com Mattermost Mattermost Server V8 vulnerabilities
199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.
Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48
Vulnerabilities
Page 4 of 10
CVE-2024-39837P4LOW≥ 9.5.0, < 9.5.7≥ 9.9.0, < 9.9.1+1 more2024-08-01
CVE-2024-39837 [LOW] CWE-284 Mattermost did not properly restrict channel creation
Mattermost did not properly restrict channel creation
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
ghsaosv
CVE-2025-27936P4MEDIUM≥ 10.5.0, < 10.5.2≥ 0, < 8.0.0-20250314142426-c049748b88632025-04-16
CVE-2025-27936 [MEDIUM] CWE-208 Mattermost vulnerable to Observable Timing Discrepancy
Mattermost vulnerable to Observable Timing Discrepancy
Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.
ghsaosv
CVE-2026-3112P4MEDIUM≥ 11.4.0-rc1, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+3 more2026-03-26
CVE-2026-3112 [MEDIUM] CWE-22 Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration
Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLog
ghsaosv
CVE-2025-55073P4MEDIUM≥ 0, < 8.0.0-20250929212932-a41db04d27462025-11-14
CVE-2025-55073 [MEDIUM] CWE-306 Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth re
ghsaosv
CVE-2025-6233P4MEDIUM≥ 0, < 8.0.0-20250529054450-d38c27f96fcf2025-07-18
CVE-2025-6233 [MEDIUM] CWE-22 Mattermost Path Traversal vulnerability
Mattermost Path Traversal vulnerability
Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.
ghsaosv
CVE-2025-13821P4MEDIUM≥ 0, < 8.0.0-20251210191531-cd17b61de41b2026-02-16
CVE-2025-13821 [MEDIUM] CWE-200 Mattermost fails to sanitize sensitive data in WebSocket messages
Mattermost fails to sanitize sensitive data in WebSocket messages
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560
ghsaosv
CVE-2025-3230P4MEDIUM≥ 10.7.0-rc1, < 10.7.1≥ 10.6.0-rc1, < 10.6.3+3 more2025-05-30
CVE-2025-3230 [MEDIUM] CWE-303 Mattermost fails to properly invalidate personal access tokens upon user deactivation
Mattermost fails to properly invalidate personal access tokens upon user deactivation
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of pre
ghsaosv
CVE-2025-46702P4MEDIUM≥ 0, < 8.0.0-20250513065225-4ae5d647fb88≥ 9.11.0, < 9.11.16+4 more2025-06-30
CVE-2025-46702 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability
Mattermost Incorrect Authorization vulnerability
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via th
ghsaosv
CVE-2026-4274P4MEDIUM≥ 11.4.0-rc1, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+3 more2026-03-26
CVE-2026-4274 [MEDIUM] CWE-863 Mattermost has an Incorrect Authorization issue
Mattermost has an Incorrect Authorization issue
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team m
ghsaosv
CVE-2023-5969P4MEDIUM≥ 8.0.0, < 8.0.4≥ 8.1.0, < 8.1.3+1 more2023-11-06
CVE-2023-5969 [MEDIUM] CWE-400 Mattermost vulnerable to excessive memory consumption
Mattermost vulnerable to excessive memory consumption
Mattermost fails to properly sanitize the request to `/api/v4/redirect_location` allowing an attacker, sending a specially crafted request to `/api/v4/redirect_location`, to fill up the memory due to caching large items.
ghsaosv
CVE-2025-2475P4MEDIUM≥ 10.5.0, < 10.5.2≥ 9.11.0, < 9.11.10+1 more2025-04-14
CVE-2025-2475 [MEDIUM] CWE-303 Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm
Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials.
ghsaosv
CVE-2025-47871P4MEDIUM≥ 0, < 8.0.0-20250513065225-4ae5d647fb88≥ 9.11.0, < 9.11.16+4 more2025-06-30
CVE-2025-47871 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability
Mattermost Incorrect Authorization vulnerability
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display nam
ghsaosv
CVE-2026-6333P4LOW≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+1 more2026-05-18
CVE-2026-6333 [LOW] CWE-918 Mattermost doesn't validate the Host header when constructing response URLs for custom slash command
Mattermost doesn't validate the Host header when constructing response URLs for custom slash command
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofe
ghsa
CVE-2025-36530P4MEDIUM≥ 0, < 8.0.0-20250619095651-9dd0b3943e552025-08-21
CVE-2025-36530 [MEDIUM] CWE-22 Mattermost Fails to Validate File Paths
Mattermost Fails to Validate File Paths
Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.
ghsaosv
CVE-2025-8023P4MEDIUM≥ 0, < 8.0.0-20250708065844-b38e2eccda182025-08-21
CVE-2025-8023 [MEDIUM] CWE-22 Mattermost Fails to Sanitize Path Traversal Sequences
Mattermost Fails to Sanitize Path Traversal Sequences
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.
ghsaosv
CVE-2023-7113P4LOW≥ 0, < 8.1.72023-12-29
CVE-2023-7113 [LOW] CWE-79 Mattermost Cross-site Scripting vulnerability
Mattermost Cross-site Scripting vulnerability
Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.
ghsaosv
CVE-2026-2456P4MEDIUM≥ 0, < 8.0.0-20260127165411-fe3052073dc62026-03-16
CVE-2026-2456 [MEDIUM] CWE-789 Mattermost fails to limit the size of responses from integration action endpoints
Mattermost fails to limit the size of responses from integration action endpoints
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an
ghsaosv
CVE-2025-9072P4HIGH≥ 0, < 8.0.0-20250731063404-9eebaadf8f722025-09-15
CVE-2025-9072 [HIGH] CWE-601 Mattermost Open Redirect vulnerability
Mattermost Open Redirect vulnerability
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL.
ghsaosv
CVE-2023-48369P4MEDIUM≥ 9.1.0, < 9.1.1≥ 9.0.0, < 9.0.2+1 more2023-11-27
CVE-2023-48369 [MEDIUM] CWE-400 Mattermost Uncontrolled Resource Consumption vulnerability
Mattermost Uncontrolled Resource Consumption vulnerability
Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log.
ghsaosv
CVE-2025-22445P4LOW≥ 10.0, < 10.3.0≥ 0, < 8.0.0-20250102081831-64c566a8280b2025-01-09
CVE-2025-22445 [LOW] CWE-754 Mattermost has Improper Check for Unusual or Exceptional Conditions
Mattermost has Improper Check for Unusual or Exceptional Conditions
Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.
ghsaosv