Github.Com Mattermost Mattermost Server V8 vulnerabilities

CVE-2025-24920 [MEDIUM] CWE-863 Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels

CVE-2025-30179 [MEDIUM] CWE-863 Mattermost Fails to Enforce Certain Search APIs Mattermost Fails to Enforce Certain Search APIs Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.

CVE-2025-27715 [LOW] CWE-863 Mattermost fail to prompt for explicit approval before adding a team admin to a private channel Mattermost fail to prompt for explicit approval before adding a team admin to a private channel Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.

CVE-2025-1472 [MEDIUM] CWE-863 Mattermost Fails to Properly Perform Viewer Role Authorization Mattermost Fails to Properly Perform Viewer Role Authorization Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

CVE-2025-25279 [CRITICAL] CWE-22 Mattermost allows reading arbitrary files related to importing boards Mattermost allows reading arbitrary files related to importing boards Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.

CVE-2025-20051 [CRITICAL] CWE-22 Mattermost allows reading arbitrary files Mattermost allows reading arbitrary files Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.

CVE-2025-24526 [MEDIUM] CWE-863 Mattermost fails to restrict channel export of archived channels Mattermost fails to restrict channel export of archived channels Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it

CVE-2025-1412 [LOW] CWE-384 Mattermost fails to invalidate all active sessions when converting a user to a bot Mattermost fails to invalidate all active sessions when converting a user to a bot Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.

CVE-2025-20621 [MEDIUM] CWE-1287 Mattermost webapp crash via a crafted post Mattermost webapp crash via a crafted post Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel.

CVE-2025-20088 [MEDIUM] CWE-1287 Mattermost fails to properly validate post props Mattermost fails to properly validate post props Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

CVE-2025-21088 [MEDIUM] CWE-704 Mattermost Incorrect Type Conversion or Cast Mattermost Incorrect Type Conversion or Cast Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.

CVE-2025-20086 [MEDIUM] CWE-1287 Mattermost fails to properly validate post props Mattermost fails to properly validate post props Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

CVE-2025-20033 [MEDIUM] CWE-1287 Mattermost Improper Validation of Specified Type of Input vulnerability Mattermost Improper Validation of Specified Type of Input vulnerability Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.

CVE-2025-22449 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

CVE-2025-22445 [LOW] CWE-754 Mattermost has Improper Check for Unusual or Exceptional Conditions Mattermost has Improper Check for Unusual or Exceptional Conditions Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

CVE-2024-54083 [MEDIUM] CWE-1287 Mattermost Improper Validation of Specified Type of Input vulnerability Mattermost Improper Validation of Specified Type of Input vulnerability Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.

CVE-2024-54682 [MEDIUM] CWE-409 Mattermost Data Amplification vulnerability Mattermost Data Amplification vulnerability Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

CVE-2024-48872 [MEDIUM] CWE-362 Mattermost Race Condition vulnerability Mattermost Race Condition vulnerability Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests

CVE-2024-46872 [MEDIUM] CWE-352 Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks

CVE-2024-50052 [MEDIUM] CWE-862 Mattermost server allows authenticated user to delete arbitrary post Mattermost server allows authenticated user to delete arbitrary post Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.