cbcvebase.

Github.Com Mattermost Mattermost Server V8 vulnerabilities

199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.

Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48

Vulnerabilities

Page 7 of 10
CVE-2024-46872P4MEDIUM≥ 0, < 8.0.0-20240926115259-20ed58906adc2024-10-29
CVE-2024-46872 [MEDIUM] CWE-352 Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks
ghsaosv
CVE-2025-41436P4LOW≥ 0, < 8.0.0-20250815165020-c8d66301415d2025-11-14
CVE-2025-41436 [LOW] CWE-863 Mattermost allows regular users to access archived channel content and files Mattermost allows regular users to access archived channel content and files Mattermost versions < 11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
ghsaosv
CVE-2026-4286P4LOW≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.142026-05-18
CVE-2026-4286 [LOW] CWE-863 Mattermost doesn't check if {{team_id}} was being changed when updating playbooks Mattermost doesn't check if {{team_id}} was being changed when updating playbooks Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMS
ghsa
CVE-2026-4273P4LOW≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+1 more2026-05-18
CVE-2026-4273 [LOW] CWE-863 Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authentic
ghsa
CVE-2023-5194P4MEDIUM≥ 8.1.0, < 8.1.1≥ 8.0.0, < 8.0.22023-09-29
CVE-2023-5194 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager
ghsaosv
CVE-2024-23488P4LOW≥ 9.0.0, < 9.4.2≥ 0, < 8.1.92024-02-29
CVE-2024-23488 [LOW] CWE-284 Mattermost fails to properly restrict the access of files attached to posts Mattermost fails to properly restrict the access of files attached to posts Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled.
ghsaosv
CVE-2026-25783P4MEDIUM≥ 0, < 8.0.0-20260129181235-1346cf529aef2026-03-16
CVE-2026-25783 [MEDIUM] CWE-1287 Mattermost fails to properly validate User-Agent header tokens Mattermost fails to properly validate User-Agent header tokens Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586
ghsaosv
CVE-2024-43780P4MEDIUM≥ 9.5.0, < 9.5.8≥ 9.10.0, < 9.10.1+2 more2024-08-22
CVE-2024-43780 [MEDIUM] CWE-284 Mattermost allows guest user with read access to upload files to a channel Mattermost allows guest user with read access to upload files to a channel Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.
ghsaosv
CVE-2026-25780P4MEDIUM≥ 0, < 8.0.0-20260123215601-86797c508c442026-03-16
CVE-2026-25780 [MEDIUM] CWE-789 Mattermost fails to bound memory allocation when processing DOC files Mattermost fails to bound memory allocation when processing DOC files Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Mattermost Advisory ID: MMSA-2026-00581
ghsaosv
CVE-2025-2527P4MEDIUM≥ 10.5.0, < 10.5.3≥ 9.11.0, < 9.11.12+1 more2025-05-15
CVE-2025-2527 [MEDIUM] CWE-863 Mattermost Fails to Verify User's Permissions When Accessing Groups Mattermost Fails to Verify User's Permissions When Accessing Groups Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request.
ghsaosv
CVE-2025-3228P4MEDIUM≥ 0, < 8.0.0-20250520060012-d0380305ef7a≥ 10.5.0, < 10.5.6+4 more2025-06-20
CVE-2025-3228 [MEDIUM] CWE-863 Mattermost allows an unauthorized Guest user access to Playbook Mattermost allows an unauthorized Guest user access to Playbook Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.
ghsaosv
CVE-2025-1472P4MEDIUM≥ 9.11.0, < 9.11.92025-03-19
CVE-2025-1472 [MEDIUM] CWE-863 Mattermost Fails to Properly Perform Viewer Role Authorization Mattermost Fails to Properly Perform Viewer Role Authorization Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.
ghsaosv
CVE-2026-3115P4MEDIUM≥ 11.4.0, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+3 more2026-03-26
CVE-2026-3115 [MEDIUM] CWE-863 Mattermost allows authenticated guest users to enumerate user IDs outside their allowed visibility scope Mattermost allows authenticated guest users to enumerate user IDs outside their allowed visibility scope Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scop
ghsaosv
CVE-2025-2424P4LOW≥ 10.5.0, < 10.5.2≥ 9.11.0, < 9.11.10+1 more2025-04-14
CVE-2025-2424 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.
ghsaosv
CVE-2025-47870P4MEDIUM≥ 0, < 8.0.0-20250708065844-b38e2eccda182025-08-21
CVE-2025-47870 [MEDIUM] CWE-306 Mattermost Does Not Sanitize the Team Invite ID Mattermost Does Not Sanitize the Team Invite ID Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.
ghsaosv
CVE-2025-12559P4MEDIUM≥ 0, < 8.0.0-20251015091448-abbf01b9db452025-11-27
CVE-2025-12559 [MEDIUM] CWE-200 Mattermost fails to sanitize team email addresses Mattermost fails to sanitize team email addresses Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint
ghsaosv
CVE-2025-4128P4LOW≥ 0, < 8.0.0-20250422131222-701ddc896a102025-06-11
CVE-2025-4128 [LOW] CWE-863 Mattermost allows guest users to view information about public teams they are not members of Mattermost allows guest users to view information about public teams they are not members of Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.
ghsaosv
CVE-2025-49810P4LOW≥ 0, < 8.0.0-20250721095846-c602a4a78e1f2025-08-21
CVE-2025-49810 [LOW] CWE-863 Mattermost Lack of Access Control Validation Mattermost Lack of Access Control Validation Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts
ghsaosv
CVE-2025-24839P4LOW≥ 10.5.0, < 10.5.2≥ 10.4.0, < 10.4.4+2 more2025-04-16
CVE-2025-24839 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled.
ghsaosv
CVE-2025-2571P4MEDIUM≥ 10.7.0-rc1, < 10.7.1≥ 10.0.0-rc1, < 10.5.4+3 more2025-05-30
CVE-2025-2571 [MEDIUM] CWE-303 Mattermost fails to clear Google OAuth credentials Mattermost fails to clear Google OAuth credentials Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.
ghsaosv
Github.Com Mattermost Mattermost Server V8 vulnerabilities | cvebase