cbcvebase.

Github.Com Mattermost Mattermost Server V8 vulnerabilities

199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.

Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48

Vulnerabilities

Page 6 of 10
CVE-2025-13870P4LOW≥ 0, < 8.0.0-20250905150616-ba86dfc5876b2025-12-02
CVE-2025-13870 [LOW] CWE-284 Mattermost fails to validate user permissions in Boards Mattermost fails to validate user permissions in Boards Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to
ghsaosv
CVE-2025-3611P4LOW≥ 10.6.0-rc1, < 10.7.1≥ 10.0.0-rc1, < 10.5.4+2 more2025-05-30
CVE-2025-3611 [LOW] CWE-863 Mattermost fails to properly enforce access control restrictions for System Manager roles Mattermost fails to properly enforce access control restrictions for System Manager roles Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests t
ghsaosv
CVE-2024-41926P4MEDIUM≥ 9.5.0, < 9.5.7≥ 9.9.0, < 9.9.1+1 more2024-08-01
CVE-2024-41926 [MEDIUM] CWE-284 Mattermost allows remote actor to set arbitrary RemoteId values for synced users Mattermost allows remote actor to set arbitrary RemoteId values for synced users Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.
ghsaosv
CVE-2026-28759P4MEDIUM≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+2 more2026-05-18
CVE-2026-28759 [MEDIUM] CWE-863 Mattermost does not verify remote cluster channel access when processing shared channel membership removals Mattermost does not verify remote cluster channel access when processing shared channel membership removals Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious re
ghsa
CVE-2026-2457P4MEDIUM≥ 0, < 8.0.0-20260123211116-9efe617be8b82026-03-16
CVE-2026-2457 [MEDIUM] CWE-346 Mattermost allows attackers to spoof permalink embeds Mattermost allows attackers to spoof permalink embeds Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint. Mattermost Advisory ID: MMSA-2025-00569
ghsaosv
CVE-2023-5968P4MEDIUM≥ 8.0.0, < 8.0.4≥ 8.1.0, < 8.1.3+2 more2023-11-06
CVE-2023-5968 [MEDIUM] CWE-116 Mattermost password hash disclosure vulnerability Mattermost password hash disclosure vulnerability Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.
ghsaosv
CVE-2024-54682P4MEDIUM≥ 10.1.0, < 10.1.3≥ 10.0.0, < 10.0.3+2 more2024-12-16
CVE-2024-54682 [MEDIUM] CWE-409 Mattermost Data Amplification vulnerability Mattermost Data Amplification vulnerability Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.
ghsaosv
CVE-2025-10545P4LOW≥ 0, < 8.0.0-20250820115038-ff30b84049f02025-10-16
CVE-2025-10545 [LOW] CWE-863 Mattermost has an Incorrect Authorization vulnerability Mattermost has an Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint
ghsaosv
CVE-2025-41443P4MEDIUM≥ 0, < 8.0.0-20250822090405-e8c7e7d0252b2025-10-16
CVE-2025-41443 [MEDIUM] CWE-862 Mattermost has a Missing Authorization vulnerability Mattermost has a Missing Authorization vulnerability Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint
ghsaosv
CVE-2024-41162P4MEDIUM≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+3 more2024-08-01
CVE-2024-41162 [MEDIUM] CWE-284 Mattermost allows a remote actor to make an arbitrary local channel read-only Mattermost allows a remote actor to make an arbitrary local channel read-only Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only.
ghsaosv
CVE-2024-48872P4MEDIUM≥ 10.1.0, < 10.1.3≥ 10.0.0, < 10.0.3+2 more2024-12-16
CVE-2024-48872 [MEDIUM] CWE-362 Mattermost Race Condition vulnerability Mattermost Race Condition vulnerability Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests
ghsaosv
CVE-2025-41423P4LOW≥ 0, < 8.0.0-20250218121836-2b5275d87136≥ 10.4.0+2 more2025-04-24
CVE-2025-41423 [LOW] CWE-863 Mattermost Playbooks fails to properly validate permissions Mattermost Playbooks fails to properly validate permissions Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.
ghsaosv
CVE-2026-0999P4MEDIUM≥ 0, < 8.0.0-20251212052346-61651b0df7ea2026-02-16
CVE-2026-0999 [MEDIUM] CWE-303 Mattermost fails to properly validate login method restrictions Mattermost fails to properly validate login method restrictions Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548
ghsaosv
CVE-2026-2463P4MEDIUM≥ 0, < 8.0.0-20260105134819-cc427af41b2a2026-03-16
CVE-2026-2463 [MEDIUM] CWE-862 Mattermost fails to filter invite IDs based on user permissions Mattermost fails to filter invite IDs based on user permissions Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation. Mattermost Advisory ID: MMSA-2025-00565
ghsaosv
CVE-2026-6343P4MEDIUM≥ 11.5.0, < 11.5.2≥ 11.4.0, < 11.4.4+1 more2026-05-18
CVE-2026-6343 [MEDIUM] CWE-863 Mattermost doesn't check public/private permissions Mattermost doesn't check public/private permissions Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591
ghsa
CVE-2026-2455P4MEDIUM≥ 0, < 8.0.0-20260129133647-5d787969c2d52026-03-16
CVE-2026-2455 [MEDIUM] CWE-918 Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1])..
ghsaosv
CVE-2026-2458P4MEDIUM≥ 0, < 8.0.0-20260113182106-a18b80ba4c322026-03-16
CVE-2026-2458 [MEDIUM] CWE-862 Mattermost allows a removed team member to enumerate all public channels within a private team Mattermost allows a removed team member to enumerate all public channels within a private team Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint. Mattermos
ghsaosv
CVE-2026-24692P4MEDIUM≥ 0, < 8.0.0-20260107142155-0481bd1fb0452026-03-16
CVE-2026-24692 [MEDIUM] CWE-863 Mattermost fails to properly enforce read permissions in search API endpoints Mattermost fails to properly enforce read permissions in search API endpoints Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554
ghsaosv
CVE-2025-13767P4MEDIUM≥ 0, < 8.0.0-20251121122154-b57c297c6d72025-12-24
CVE-2025-13767 [MEDIUM] CWE-863 Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with acce
ghsaosv
CVE-2026-4055P4MEDIUM≥ 8.0.0-20260304132957-9f2616376582, < 8.0.0-20260320113102-f2b3d1c6a9452026-05-21
CVE-2026-4055 [MEDIUM] CWE-863 Mattermost has an Incorrect Authorization issue Mattermost has an Incorrect Authorization issue Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request. Mattermost Advisory ID: MMSA-2026-00629.
ghsa
Github.Com Mattermost Mattermost Server V8 vulnerabilities | cvebase