Mattermost Server vulnerabilities
389 known vulnerabilities affecting mattermost/mattermost_server.
Total CVEs
389
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL15HIGH74MEDIUM266LOW34
Vulnerabilities
Page 4 of 20
CVE-2025-58075HIGHCVSS 8.1≥ 10.5.0, < 10.5.11≥ 10.10.0, < 10.10.3+1 more2025-10-16
CVE-2025-58075 [HIGH] CWE-862 CVE-2025-58075: Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState
nvd
CVE-2025-58073HIGHCVSS 8.1≥ 10.5.0, < 10.5.11≥ 10.10.0, < 10.10.3+1 more2025-10-16
CVE-2025-58073 [HIGH] CWE-862 CVE-2025-58073: Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.
nvd
CVE-2025-41443MEDIUMCVSS 4.3≥ 10.5.0, < 10.5.11≥ 10.11.0, < 10.11.32025-10-16
CVE-2025-41443 [MEDIUM] CWE-862 CVE-2025-41443: Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permi
Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint
nvd
CVE-2025-41410MEDIUMCVSS 5.4≥ 10.5.0, < 10.5.11≥ 10.10.0, < 10.10.3+1 more2025-10-16
CVE-2025-41410 [MEDIUM] CWE-862 CVE-2025-41410: Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email
Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions
nvd
CVE-2025-10545MEDIUMCVSS 4.3≥ 10.5.0, < 10.5.11≥ 10.11.0, < 10.11.32025-10-16
CVE-2025-10545 [MEDIUM] CWE-863 CVE-2025-10545: Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permi
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint
nvd
CVE-2025-54499LOWCVSS 3.7≥ 10.5.0, < 10.5.11≥ 10.11.0, < 10.11.32025-10-16
CVE-2025-54499 [LOW] CWE-208 CVE-2025-54499: Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for s
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets
nvd
CVE-2025-9079HIGHCVSS 7.2≥ 9.11.0, < 9.11.18≥ 10.5.0, < 10.5.9+3 more2025-09-19
CVE-2025-9079 [HIGH] CWE-22 CVE-2025-9079: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory
nvd
CVE-2025-9081MEDIUMCVSS 6.5≥ 9.11.0, < 9.11.17≥ 10.5.0, < 10.5.92025-09-19
CVE-2025-9081 [MEDIUM] CWE-639 CVE-2025-9081: Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls wh
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
nvd
CVE-2025-9078MEDIUMCVSS 4.3≥ 9.11.0, < 9.11.18≥ 10.5.0, < 10.5.9+3 more2025-09-15
CVE-2025-9078 [MEDIUM] CWE-328 CVE-2025-9078: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing
nvd
CVE-2025-9076MEDIUMCVSS 6.5≥ 10.10.0, < 10.10.22025-09-15
CVE-2025-9076 [MEDIUM] CWE-862 CVE-2025-9076: Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel mem
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.
nvd
CVE-2025-9072MEDIUMCVSS 5.4≥ 10.5.0, < 10.5.10≥ 10.9.0, < 10.9.5+1 more2025-09-15
CVE-2025-9072 [MEDIUM] CWE-601 CVE-2025-9072: Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redi
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL.
nvd
CVE-2025-9084MEDIUMCVSS 6.1≥ 10.5.0, < 10.5.102025-09-15
CVE-2025-9084 [MEDIUM] CWE-601 CVE-2025-9084: Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers
Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs
nvd
CVE-2025-49810MEDIUMCVSS 4.3≥ 10.5.0, < 10.5.92025-08-21
CVE-2025-49810 [MEDIUM] CWE-863 CVE-2025-49810: Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows
Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts
nvd
CVE-2025-47870MEDIUMCVSS 4.3≥ 9.11.0, < 9.11.18≥ 10.5.0, < 10.5.9+2 more2025-08-21
CVE-2025-47870 [MEDIUM] CWE-306 CVE-2025-47870: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.
nvd
CVE-2025-49222MEDIUMCVSS 6.8≥ 9.11.0, < 9.11.18≥ 10.5.0, < 10.5.9+3 more2025-08-21
CVE-2025-49222 [MEDIUM] CWE-434 CVE-2025-49222: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.
nvd
CVE-2025-8023MEDIUMCVSS 4.9≥ 9.11.0, < 9.11.18≥ 10.5.0, < 10.5.9+2 more2025-08-21
CVE-2025-8023 [MEDIUM] CWE-22 CVE-2025-8023: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.
nvd
CVE-2025-8402MEDIUMCVSS 4.9≥ 9.11.0, < 9.11.18≥ 10.5.0, < 10.5.9+3 more2025-08-21
CVE-2025-8402 [MEDIUM] CWE-476 CVE-2025-8402: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.
nvd
CVE-2025-6465MEDIUMCVSS 4.3≥ 10.5.0, < 10.5.9≥ 10.8.0, < 10.8.4+2 more2025-08-21
CVE-2025-6465 [MEDIUM] CWE-22 CVE-2025-6465: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.
nvd
CVE-2025-36530MEDIUMCVSS 4.9≥ 9.11.0, < 9.11.18≥ 10.5.0, < 10.5.9+2 more2025-08-21
CVE-2025-36530 [MEDIUM] CWE-22 CVE-2025-36530: Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to
Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.
nvd
CVE-2025-53971LOWCVSS 3.8≥ 9.11.0, < 9.11.18≥ 10.5.0, < 10.5.92025-08-21
CVE-2025-53971 [LOW] CWE-863 CVE-2025-53971: Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.
nvd