Github.Com Mattermost Mattermost Server V8 vulnerabilities
199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.
Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48
Vulnerabilities
Page 8 of 10
CVE-2025-14350P4MEDIUM≥ 0, < 8.0.0-20251209134645-761e56bb11cc2026-02-16
CVE-2025-14350 [MEDIUM] CWE-862 Mattermost fails to properly validate team membership when processing channel mentions
Mattermost fails to properly validate team membership when processing channel mentions
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the chann
ghsaosv
CVE-2025-11777P4LOW≥ 0, < 8.0.0-20250905150616-ba86dfc5876b2025-11-13
CVE-2025-11777 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability
Mattermost Incorrect Authorization vulnerability
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.
ghsaosv
CVE-2025-12756P4MEDIUM≥ 0, ≤ 8.0.0-20251013062617-7977e7e6dae32025-12-01
CVE-2025-12756 [MEDIUM] CWE-863 Mattermost fails to validate user permissions when deleting comments in Boards
Mattermost fails to validate user permissions when deleting comments in Boards
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.
ghsaosv
CVE-2026-3495P4LOW≥ 10.11.0, < 10.11.14≥ 11.5.0, < 11.5.2+1 more2026-05-18
CVE-2026-3495 [LOW] CWE-79 Mattermost doesn't escape some variables that could contain malicious content during error page composition
Mattermost doesn't escape some variables that could contain malicious content during error page composition
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code v
ghsa
CVE-2025-9078P4MEDIUM≥ 0, < 8.0.0-20250718075842-cd87e5c877372025-09-15
CVE-2025-9078 [MEDIUM] CWE-328 Mattermost makes Use of Weak Hash
Mattermost makes Use of Weak Hash
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing.
ghsaosv
CVE-2024-1953P4MEDIUM≥ 9.4.0, < 9.4.2≥ 9.3.0, < 9.3.1+2 more2024-02-29
CVE-2024-1953 [MEDIUM] CWE-400 Mattermost fails to limit the number of role names
Mattermost fails to limit the number of role names
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.
ghsaosv
CVE-2023-6202P4MEDIUM≥ 9.1.0, < 9.1.1≥ 9.0.0, < 9.0.2+1 more2023-11-27
CVE-2023-6202 [MEDIUM] CWE-284 Mattermost Improper Access Control vulnerability
Mattermost Improper Access Control vulnerability
Mattermost fails to perform proper authorization in the `/plugins/focalboard/api/v2/users` endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards.
ghsaosv
CVE-2024-1887P4HIGH≥ 9.3.0, < 9.3.1≥ 9.2.0, < 9.2.5+1 more2024-02-29
CVE-2024-1887 [HIGH] CWE-284 Mattermost post fetching without auditing in compliance export
Mattermost post fetching without auditing in compliance export
Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of the public channel to fetch the posts, which will not be audited in the compliance export.
ghsaosv
CVE-2024-24776P4LOW≥ 0, < 8.1.8≥ 9.0.0, < 9.3.02024-02-09
CVE-2024-24776 [LOW] CWE-284 Mattermost fails to check the required permissions
Mattermost fails to check the required permissions
Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts being leaked to a user without permissions.
ghsaosv
CVE-2025-24526P4MEDIUM≥ 0, < 8.0.0-20250110161910-96195f1bd746≥ 9.11.0-rc1, < 9.11.8+3 more2025-02-24
CVE-2025-24526 [MEDIUM] CWE-863 Mattermost fails to restrict channel export of archived channels
Mattermost fails to restrict channel export of archived channels
Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it
ghsaosv
CVE-2026-26246P4MEDIUM≥ 0, < 8.0.0-20260115183946-38b413a276042026-03-16
CVE-2026-26246 [MEDIUM] CWE-789 Mattermost fails to bound memory allocation when processing PSD image files
Mattermost fails to bound memory allocation when processing PSD image files
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00
ghsaosv
CVE-2026-2578P4MEDIUM≥ 0, < 8.0.0-20260127062706-c6b205f0d7702026-03-16
CVE-2026-2578 [MEDIUM] CWE-201 Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event. Mattermost Advisory ID: MMSA-2026-00579
ghsaosv
CVE-2025-27571P4MEDIUM≥ 10.5.0, < 10.5.2≥ 10.4.0, < 10.4.4+2 more2025-04-16
CVE-2025-27571 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability
Mattermost Incorrect Authorization vulnerability
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived.
ghsaosv
CVE-2025-24920P4MEDIUM≥ 10.4.0, < 10.4.3≥ 10.3.0, < 10.3.4+2 more2025-03-21
CVE-2025-24920 [MEDIUM] CWE-863 Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels
Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels
ghsaosv
CVE-2025-3227P4MEDIUM≥ 0, < 8.0.0-20250520060012-d0380305ef7a≥ 10.5.0, < 10.5.6+4 more2025-06-20
CVE-2025-3227 [MEDIUM] CWE-863 Mattermost allows unauthorized channel member management through playbook runs
Mattermost allows unauthorized channel member management through playbook runs
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and pri
ghsaosv
CVE-2025-3446P4MEDIUM≥ 10.6.0, < 10.6.2≥ 10.5.0, < 10.5.3+3 more2025-05-15
CVE-2025-3446 [MEDIUM] CWE-863 Mattermost Fails to Validate Team Invite Permissions
Mattermost Fails to Validate Team Invite Permissions
Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team.
ghsaosv
CVE-2025-27933P4MEDIUM≥ 10.4.0, < 10.4.3≥ 10.3.0, < 10.3.4+2 more2025-03-21
CVE-2025-27933 [MEDIUM] CWE-863 Mattermost allows members with permission to convert public channels to private and convert private to public
Mattermost allows members with permission to convert public channels to private and convert private to public
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public.
ghsaosv
CVE-2026-21386P4MEDIUM≥ 0, < 8.0.0-20260130144323-5bb5261c72fa2026-03-16
CVE-2026-21386 [MEDIUM] CWE-203 Mattermost fails to use consistent error responses when handling the /mute command
Mattermost fails to use consistent error responses when handling the /mute command
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent
ghsaosv
CVE-2026-6339P4MEDIUM≥ 11.5.0, < 11.5.2≥ 11.4.0, < 11.4.4+1 more2026-05-18
CVE-2026-6339 [MEDIUM] CWE-346 Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint
Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint
Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image ta
ghsa
CVE-2023-5967P4MEDIUM≥ 8.0.0, < 8.0.4≥ 8.1.0, < 8.1.3+1 more2023-11-06
CVE-2023-5967 [MEDIUM] CWE-754 Mattermost denial of service vulnerability
Mattermost denial of service vulnerability
Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin
ghsaosv