Github.Com Mattermost Mattermost Server V8 vulnerabilities
199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.
Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48
Vulnerabilities
Page 9 of 10
CVE-2023-45223P4MEDIUM≥ 0, < 8.1.42023-11-27
CVE-2023-45223 [MEDIUM] CWE-200 Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability
Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability
Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled.
ghsaosv
CVE-2023-43754P4MEDIUM≥ 9.1.0, < 9.1.1≥ 9.0.0, < 9.0.2+1 more2023-11-27
CVE-2023-43754 [MEDIUM] CWE-200 Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability
Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability
Mattermost fails to check whether the "Allow users to view archived channels" setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the "Allow users to view archived channels" setting is disabled.
ghsaosv
CVE-2023-47865P4MEDIUM≥ 0, < 8.1.42023-11-27
CVE-2023-47865 [MEDIUM] CWE-284 Mattermost Improper Access Control vulnerability
Mattermost Improper Access Control vulnerability
Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a post even if the Hardened Mode setting was enabled
ghsaosv
CVE-2024-1952P4LOW≥ 9.0.0, < 9.4.02024-02-29
CVE-2024-1952 [LOW] CWE-200 Mattermost incorrectly allows access individual posts
Mattermost incorrectly allows access individual posts
Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of.
ghsaosv
CVE-2024-1942P4MEDIUM≥ 9.3.0, < 9.3.1≥ 9.2.0, < 9.2.5+1 more2024-02-29
CVE-2024-1942 [MEDIUM] CWE-284 Mattermost allows attackers access to posts in channels they are not a member of
Mattermost allows attackers access to posts in channels they are not a member of
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.
ghsaosv
CVE-2023-47858P4MEDIUM≥ 0, < 8.1.12024-01-02
CVE-2023-47858 [MEDIUM] CWE-284 Mattermost viewing archived public channels permissions vulnerability
Mattermost viewing archived public channels permissions vulnerability
Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams//channels/deleted endpoint.
ghsaosv
CVE-2024-10241P4MEDIUM≥ 0, < 8.0.0-20240813135334-8f3a13122f552024-10-29
CVE-2024-10241 [MEDIUM] CWE-284 Mattermost Server allows user to get private channel names
Mattermost Server allows user to get private channel names
Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.
ghsaosv
CVE-2025-2564P4MEDIUM≥ 10.5.0, < 10.5.2≥ 10.4.0, < 10.4.4+2 more2025-04-16
CVE-2025-2564 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability
Mattermost Incorrect Authorization vulnerability
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.
ghsaosv
CVE-2025-64641P4MEDIUM≥ 0, < 8.0.0-20251121122154-b57c297c6d72025-12-24
CVE-2025-64641 [MEDIUM] CWE-863 Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin
Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Ji
ghsaosv
CVE-2024-1402P4MEDIUM≥ 0, < 8.1.8≥ 9.2.0, < 9.2.4+1 more2024-02-09
CVE-2024-1402 [MEDIUM] CWE-400 Mattermost vulnerable to denial of service via large number of emoji reactions
Mattermost vulnerable to denial of service via large number of emoji reactions
Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post. Fetching posts wit
ghsaosv
CVE-2023-48732P4MEDIUM≥ 0, < 8.1.72024-01-02
CVE-2023-48732 [MEDIUM] CWE-200 Mattermost notified all users in the channel when using WebSockets to respond individually
Mattermost notified all users in the channel when using WebSockets to respond individually
Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.
ghsaosv
CVE-2024-1888P4MEDIUM≥ 9.4.0, < 9.4.2≥ 9.3.0, < 9.3.1+2 more2024-02-29
CVE-2024-1888 [MEDIUM] CWE-284 Mattermost fails to check the "invite_guest" permission
Mattermost fails to check the "invite_guest" permission
Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server
ghsaosv
CVE-2023-50333P4LOW≥ 0, < 8.1.72024-01-02
CVE-2023-50333 [LOW] CWE-284 Mattermost allows demoted guests to change group names
Mattermost allows demoted guests to change group names
Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names.
ghsaosv
CVE-2025-4573P4MEDIUM≥ 0, < 8.0.0-20250414112942-77892234944b2025-06-11
CVE-2025-4573 [MEDIUM] CWE-90 Mattermost allows authenticated administrator to execute LDAP search filter injection
Mattermost allows authenticated administrator to execute LDAP search filter injection
Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT
ghsaosv
CVE-2025-54499P4LOW≥ 0, < 8.0.0-20250728063359-38208b8f065f2025-10-16
CVE-2025-54499 [LOW] CWE-208 Mattermost has an Observable Timing Discrepancy vulnerability
Mattermost has an Observable Timing Discrepancy vulnerability
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets.
ghsaosv
CVE-2025-13324P4MEDIUM≥ 0, < 8.0.0-20251031095924-e7e23b94e0062025-12-17
CVE-2025-13324 [MEDIUM] CWE-863 Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation
Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation
Mattermost versions 10.11.x < 10.11.5, 11.0.x < 11.0.4, 10.12.x < 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to
ghsaosv
CVE-2026-22545P4LOW≥ 0, < 8.0.0-20260127144908-ced9a56e39882026-03-16
CVE-2026-22545 [LOW] CWE-863 Mattermost fails to validate user's authentication method when processing account auth type switch
Mattermost fails to validate user's authentication method when processing account auth type switch
Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermos
ghsaosv
CVE-2026-6334P4LOW≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+1 more2026-05-18
CVE-2026-6334 [LOW] CWE-305 Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow
Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted
ghsa
CVE-2024-29221P4MEDIUM≥ 8.1.0, < 8.1.11≥ 9.5.0, < 9.5.2+2 more2024-04-05
CVE-2024-29221 [MEDIUM] CWE-284 Mattermost Server Improper Access Control
Mattermost Server Improper Access Control
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.
ghsaosv
CVE-2025-3913P4MEDIUM≥ 10.7.0-rc1, < 10.7.1≥ 10.6.0-rc1, < 10.6.3+3 more2025-05-29
CVE-2025-3913 [MEDIUM] CWE-863 Mattermost improperly allows team administrators to modify team invites
Mattermost improperly allows team administrators to modify team invites
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.
ghsaosv