Github.Com Mattermost Mattermost Server V8 vulnerabilities
199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.
Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48
Vulnerabilities
Page 6 of 10
CVE-2025-13870P4LOW≥ 0, < 8.0.0-20250905150616-ba86dfc5876b2025-12-02
CVE-2025-13870 [LOW] CWE-284 Mattermost fails to validate user permissions in Boards
Mattermost fails to validate user permissions in Boards
Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to
ghsaosv
CVE-2025-3611P4LOW≥ 10.6.0-rc1, < 10.7.1≥ 10.0.0-rc1, < 10.5.4+2 more2025-05-30
CVE-2025-3611 [LOW] CWE-863 Mattermost fails to properly enforce access control restrictions for System Manager roles
Mattermost fails to properly enforce access control restrictions for System Manager roles
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests t
ghsaosv
CVE-2024-41926P4MEDIUM≥ 9.5.0, < 9.5.7≥ 9.9.0, < 9.9.1+1 more2024-08-01
CVE-2024-41926 [MEDIUM] CWE-284 Mattermost allows remote actor to set arbitrary RemoteId values for synced users
Mattermost allows remote actor to set arbitrary RemoteId values for synced users
Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.
ghsaosv
CVE-2026-28759P4MEDIUM≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+2 more2026-05-18
CVE-2026-28759 [MEDIUM] CWE-863 Mattermost does not verify remote cluster channel access when processing shared channel membership removals
Mattermost does not verify remote cluster channel access when processing shared channel membership removals
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious re
ghsa
CVE-2026-2457P4MEDIUM≥ 0, < 8.0.0-20260123211116-9efe617be8b82026-03-16
CVE-2026-2457 [MEDIUM] CWE-346 Mattermost allows attackers to spoof permalink embeds
Mattermost allows attackers to spoof permalink embeds
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint. Mattermost Advisory ID: MMSA-2025-00569
ghsaosv
CVE-2023-5968P4MEDIUM≥ 8.0.0, < 8.0.4≥ 8.1.0, < 8.1.3+2 more2023-11-06
CVE-2023-5968 [MEDIUM] CWE-116 Mattermost password hash disclosure vulnerability
Mattermost password hash disclosure vulnerability
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.
ghsaosv
CVE-2024-54682P4MEDIUM≥ 10.1.0, < 10.1.3≥ 10.0.0, < 10.0.3+2 more2024-12-16
CVE-2024-54682 [MEDIUM] CWE-409 Mattermost Data Amplification vulnerability
Mattermost Data Amplification vulnerability
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.
ghsaosv
CVE-2025-10545P4LOW≥ 0, < 8.0.0-20250820115038-ff30b84049f02025-10-16
CVE-2025-10545 [LOW] CWE-863 Mattermost has an Incorrect Authorization vulnerability
Mattermost has an Incorrect Authorization vulnerability
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint
ghsaosv
CVE-2025-41443P4MEDIUM≥ 0, < 8.0.0-20250822090405-e8c7e7d0252b2025-10-16
CVE-2025-41443 [MEDIUM] CWE-862 Mattermost has a Missing Authorization vulnerability
Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint
ghsaosv
CVE-2024-41162P4MEDIUM≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+3 more2024-08-01
CVE-2024-41162 [MEDIUM] CWE-284 Mattermost allows a remote actor to make an arbitrary local channel read-only
Mattermost allows a remote actor to make an arbitrary local channel read-only
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only.
ghsaosv
CVE-2024-48872P4MEDIUM≥ 10.1.0, < 10.1.3≥ 10.0.0, < 10.0.3+2 more2024-12-16
CVE-2024-48872 [MEDIUM] CWE-362 Mattermost Race Condition vulnerability
Mattermost Race Condition vulnerability
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests
ghsaosv
CVE-2025-41423P4LOW≥ 0, < 8.0.0-20250218121836-2b5275d87136≥ 10.4.0+2 more2025-04-24
CVE-2025-41423 [LOW] CWE-863 Mattermost Playbooks fails to properly validate permissions
Mattermost Playbooks fails to properly validate permissions
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.
ghsaosv
CVE-2026-0999P4MEDIUM≥ 0, < 8.0.0-20251212052346-61651b0df7ea2026-02-16
CVE-2026-0999 [MEDIUM] CWE-303 Mattermost fails to properly validate login method restrictions
Mattermost fails to properly validate login method restrictions
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548
ghsaosv
CVE-2026-2463P4MEDIUM≥ 0, < 8.0.0-20260105134819-cc427af41b2a2026-03-16
CVE-2026-2463 [MEDIUM] CWE-862 Mattermost fails to filter invite IDs based on user permissions
Mattermost fails to filter invite IDs based on user permissions
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation. Mattermost Advisory ID: MMSA-2025-00565
ghsaosv
CVE-2026-6343P4MEDIUM≥ 11.5.0, < 11.5.2≥ 11.4.0, < 11.4.4+1 more2026-05-18
CVE-2026-6343 [MEDIUM] CWE-863 Mattermost doesn't check public/private permissions
Mattermost doesn't check public/private permissions
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591
ghsa
CVE-2026-2455P4MEDIUM≥ 0, < 8.0.0-20260129133647-5d787969c2d52026-03-16
CVE-2026-2455 [MEDIUM] CWE-918 Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation
Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1])..
ghsaosv
CVE-2026-2458P4MEDIUM≥ 0, < 8.0.0-20260113182106-a18b80ba4c322026-03-16
CVE-2026-2458 [MEDIUM] CWE-862 Mattermost allows a removed team member to enumerate all public channels within a private team
Mattermost allows a removed team member to enumerate all public channels within a private team
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint. Mattermos
ghsaosv
CVE-2026-24692P4MEDIUM≥ 0, < 8.0.0-20260107142155-0481bd1fb0452026-03-16
CVE-2026-24692 [MEDIUM] CWE-863 Mattermost fails to properly enforce read permissions in search API endpoints
Mattermost fails to properly enforce read permissions in search API endpoints
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554
ghsaosv
CVE-2025-13767P4MEDIUM≥ 0, < 8.0.0-20251121122154-b57c297c6d72025-12-24
CVE-2025-13767 [MEDIUM] CWE-863 Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues
Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with acce
ghsaosv
CVE-2026-4055P4MEDIUM≥ 8.0.0-20260304132957-9f2616376582, < 8.0.0-20260320113102-f2b3d1c6a9452026-05-21
CVE-2026-4055 [MEDIUM] CWE-863 Mattermost has an Incorrect Authorization issue
Mattermost has an Incorrect Authorization issue
Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request. Mattermost Advisory ID: MMSA-2026-00629.
ghsa