Mattermost Server vulnerabilities

417 known vulnerabilities affecting mattermost/mattermost_server.

Total CVEs

417

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL16HIGH77MEDIUM288LOW36

Vulnerabilities

Page 1 of 21

CVE-2026-4915MEDIUMCVSS 6.5≥ 10.11.0, < 10.11.15≥ 11.4.0, < 11.4.5+2 more2026-05-25

CVE-2026-4915 [MEDIUM] CWE-754 CVE-2026-4915: Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail t Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry..

nvd

CVE-2026-4858CRITICALCVSS 9.9≥ 10.11.0, < 10.11.15≥ 11.4.0, < 11.4.5+2 more2026-05-21

CVE-2026-4858 [CRITICAL] CWE-22 CVE-2026-4858: Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail t Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640

nvd

CVE-2026-4055MEDIUMCVSS 4.3≥ 10.11.0, < 10.11.17≥ 11.5.0, < 11.5.5+1 more2026-05-21

CVE-2026-4055 [MEDIUM] CWE-863 CVE-2026-4055: Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the t Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request. Mattermost Advisory ID: MMSA-2026-00629

nvd

CVE-2026-6347HIGHCVSS 7.6≥ 10.11.0, < 10.11.14≥ 11.4.0, < 11.4.4+1 more2026-05-18

CVE-2026-6347 [HIGH] CWE-200 CVE-2026-6347: Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensiti Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-006

nvd

CVE-2026-6346HIGHCVSS 8.7≥ 10.11.0, < 10.11.14≥ 11.4.0, < 11.4.4+1 more2026-05-18

CVE-2026-6346 [HIGH] CWE-200 CVE-2026-6346: Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensiti Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System C

nvd

CVE-2026-28732MEDIUMCVSS 4.3≥ 10.11.0, < 10.11.14≥ 11.4.0, < 11.4.4+1 more2026-05-18

CVE-2026-28732 [MEDIUM] CWE-863 CVE-2026-28732: Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash co Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to

nvd

CVE-2026-3117MEDIUMCVSS 6.5≥ 10.13.0, ≤ 10.13.11≥ 11.1.0, ≤ 11.1.5+1 more2026-05-18

CVE-2026-3117 [MEDIUM] CWE-862 CVE-2026-3117: Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions w Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600

nvd

CVE-2026-28759MEDIUMCVSS 4.3≥ 10.11.0, < 10.11.14≥ 11.4.0, < 11.4.4+1 more2026-05-18

CVE-2026-28759 [MEDIUM] CWE-863 CVE-2026-28759: Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership

nvd

CVE-2026-6339MEDIUMCVSS 4.3≥ 11.4.0, < 11.4.4≥ 11.5.0, < 11.5.22026-05-18

CVE-2026-6339 [MEDIUM] CWE-346 CVE-2026-6339: Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636

nvd

CVE-2026-6333MEDIUMCVSS 5.0≥ 10.11.0, < 10.11.14≥ 11.5.0, < 11.5.22026-05-18

CVE-2026-6333 [MEDIUM] CWE-918 CVE-2026-6333: Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when cons Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582

nvd

CVE-2026-6340MEDIUMCVSS 6.5≥ 10.11.0, < 10.11.14≥ 11.4.0, < 11.4.4+1 more2026-05-18

CVE-2026-6340 [MEDIUM] CWE-789 CVE-2026-6340: Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip ar Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory ID: MMSA-2026-00573

nvd

CVE-2026-2325MEDIUMCVSS 6.5≥ 10.11.0, < 10.11.14≥ 11.4.0, < 11.4.4+1 more2026-05-18

CVE-2026-2325 [MEDIUM] CWE-770 CVE-2026-2325: Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size o Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/api/v1/meetings}}.. Mattermost Advisory ID: MMSA-2026-00608

nvd

CVE-2026-6343MEDIUMCVSS 4.3≥ 10.11.0, < 10.11.14≥ 11.4.0, < 11.4.4+1 more2026-05-18

CVE-2026-6343 [MEDIUM] CWE-863 CVE-2026-6343: Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/pri Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591

nvd

CVE-2026-4286MEDIUMCVSS 4.3≥ 10.11.0, < 10.11.14≥ 11.5.0, < 11.5.22026-05-18

CVE-2026-4286 [MEDIUM] CWE-863 CVE-2026-4286: Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being cha Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552

nvd

CVE-2026-5163MEDIUMCVSS 6.5≥ 11.5.0, < 11.5.22026-05-18

CVE-2026-5163 [MEDIUM] CWE-862 CVE-2026-5163: Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted m Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645

nvd

CVE-2026-6341MEDIUMCVSS 4.3≥ 10.13.0, ≤ 10.13.11≥ 11.1.0, ≤ 11.1.5+1 more2026-05-18

CVE-2026-6341 [MEDIUM] CWE-863 CVE-2026-6341: Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which g Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602

nvd

CVE-2026-4273MEDIUMCVSS 4.3≥ 10.11.0, < 10.11.14≥ 11.5.0, < 11.5.22026-05-18

CVE-2026-4273 [MEDIUM] CWE-863 CVE-2026-4273: Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken d Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching

nvd

CVE-2026-3637MEDIUMCVSS 4.3≥ 10.11.0, < 10.11.14≥ 11.4.0, < 11.4.4+1 more2026-05-18

CVE-2026-3637 [MEDIUM] CWE-862 CVE-2026-3637: Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026

nvd

CVE-2026-3495MEDIUMCVSS 4.8≥ 10.11.0, < 10.11.14≥ 11.5.0, < 11.5.22026-05-18

CVE-2026-3495 [MEDIUM] CWE-79 CVE-2026-3495: Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could c Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622

nvd

CVE-2026-6342MEDIUMCVSS 4.3≥ 10.13.0, ≤ 10.13.11≥ 11.1.0, ≤ 11.1.5+1 more2026-05-18

CVE-2026-6342 [MEDIUM] CWE-863 CVE-2026-6342: Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid na Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601

nvd

1 / 21Next →