Github.Com Mattermost Mattermost Server V8 vulnerabilities

CVE-2025-2527 [MEDIUM] CWE-863 Mattermost Fails to Verify User's Permissions When Accessing Groups Mattermost Fails to Verify User's Permissions When Accessing Groups Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request.

CVE-2025-31947 [MEDIUM] CWE-645 Mattermost Fails to Lockout LDAP Users After Repeated Login Failures Mattermost Fails to Lockout LDAP Users After Repeated Login Failures Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Mattermost.

CVE-2025-3446 [MEDIUM] CWE-863 Mattermost Fails to Validate Team Invite Permissions Mattermost Fails to Validate Team Invite Permissions Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team.

CVE-2025-2570 [LOW] CWE-863 Mattermost Fails to Check User Access to `ExperimentalSettings` Mattermost Fails to Check User Access to `ExperimentalSettings` Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console.

CVE-2025-35965 [MEDIUM] CWE-770 Mattermost Playbooks fails to validate the uniqueness and quantity of task actions Mattermost Playbooks fails to validate the uniqueness and quantity of task actions Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts

CVE-2025-41395 [MEDIUM] CWE-1287 Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with malicious

CVE-2025-41423 [LOW] CWE-863 Mattermost Playbooks fails to properly validate permissions Mattermost Playbooks fails to properly validate permissions Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.

CVE-2025-27571 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived.

CVE-2025-2564 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.

CVE-2025-27936 [MEDIUM] CWE-208 Mattermost vulnerable to Observable Timing Discrepancy Mattermost vulnerable to Observable Timing Discrepancy Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.

CVE-2025-24839 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled.

CVE-2025-27538 [LOW] CWE-306 Mattermost Missing Authentication for Critical Function Mattermost Missing Authentication for Critical Function Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.

CVE-2025-31363 [LOW] CWE-201 Mattermost doesn't restrict domains LLM can request to contact upstream Mattermost doesn't restrict domains LLM can request to contact upstream Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool.

CVE-2025-2475 [MEDIUM] CWE-303 Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials.

CVE-2025-32093 [MEDIUM] CWE-863 Mattermost Fails to Restrict Certain Operations on System Admins Mattermost Fails to Restrict Certain Operations on System Admins Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission val

CVE-2025-2424 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.

CVE-2025-24866 [LOW] CWE-863 Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs.

CVE-2025-25068 [HIGH] CWE-306 Mattermost Fails to Enforce MFA on Plugin Endpoints Mattermost Fails to Enforce MFA on Plugin Endpoints Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.

CVE-2025-25274 [MEDIUM] CWE-77 Mattermost Fails to Restrict Command Execution in Archived Channels Mattermost Fails to Restrict Command Execution in Archived Channels Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.

CVE-2025-27933 [MEDIUM] CWE-863 Mattermost allows members with permission to convert public channels to private and convert private to public Mattermost allows members with permission to convert public channels to private and convert private to public Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public.