Github.Com Mattermost Mattermost Server V8 vulnerabilities

CVE-2025-8402 [MEDIUM] CWE-476 Mattermost has Potential Server Crash due to Unvalidated Import Data Mattermost has Potential Server Crash due to Unvalidated Import Data Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.

CVE-2025-8023 [MEDIUM] CWE-22 Mattermost Fails to Sanitize Path Traversal Sequences Mattermost Fails to Sanitize Path Traversal Sequences Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.

CVE-2025-47700 [LOW] CWE-918 Mattermost Server SSRF Vulnerability via the Agents Plugin Mattermost Server SSRF Vulnerability via the Agents Plugin Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions

CVE-2025-49810 [LOW] CWE-863 Mattermost Lack of Access Control Validation Mattermost Lack of Access Control Validation Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts

CVE-2025-53971 [LOW] CWE-863 Mattermost Fails to Properly Validate Team Role Modification Mattermost Fails to Properly Validate Team Role Modification Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.

CVE-2025-6233 [MEDIUM] CWE-22 Mattermost Path Traversal vulnerability Mattermost Path Traversal vulnerability Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.

CVE-2025-6226 [MEDIUM] CWE-306 Mattermost Missing Authentication for Critical Function Mattermost Missing Authentication for Critical Function Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.

CVE-2025-6227 [LOW] CWE-522 Mattermost has Insufficiently Protected Credentials Mattermost has Insufficiently Protected Credentials Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.

CVE-2025-46702 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via th

CVE-2025-47871 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display nam

CVE-2025-4981 [CRITICAL] CWE-427 Mattermost allows authenticated users to write files to arbitrary locations Mattermost allows authenticated users to write files to arbitrary locations Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenam

CVE-2025-3227 [MEDIUM] CWE-863 Mattermost allows unauthorized channel member management through playbook runs Mattermost allows unauthorized channel member management through playbook runs Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and pri

CVE-2025-3228 [MEDIUM] CWE-863 Mattermost allows an unauthorized Guest user access to Playbook Mattermost allows an unauthorized Guest user access to Playbook Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.

CVE-2025-4573 [MEDIUM] CWE-90 Mattermost allows authenticated administrator to execute LDAP search filter injection Mattermost allows authenticated administrator to execute LDAP search filter injection Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT

CVE-2025-4128 [LOW] CWE-863 Mattermost allows guest users to view information about public teams they are not members of Mattermost allows guest users to view information about public teams they are not members of Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.

CVE-2025-2571 [MEDIUM] CWE-303 Mattermost fails to clear Google OAuth credentials Mattermost fails to clear Google OAuth credentials Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

CVE-2025-3230 [MEDIUM] CWE-303 Mattermost fails to properly invalidate personal access tokens upon user deactivation Mattermost fails to properly invalidate personal access tokens upon user deactivation Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of pre

CVE-2025-1792 [LOW] CWE-863 Mattermost fails to properly enforce access controls for guest users Mattermost fails to properly enforce access controls for guest users Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.

CVE-2025-3611 [LOW] CWE-863 Mattermost fails to properly enforce access control restrictions for System Manager roles Mattermost fails to properly enforce access control restrictions for System Manager roles Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests t

CVE-2025-3913 [MEDIUM] CWE-863 Mattermost improperly allows team administrators to modify team invites Mattermost improperly allows team administrators to modify team invites Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.