Mattermost Server vulnerabilities

417 known vulnerabilities affecting mattermost/mattermost_server.

Total CVEs

417

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL16HIGH77MEDIUM288LOW36

Vulnerabilities

Page 5 of 21

CVE-2025-12559MEDIUMCVSS 4.3≥ 10.5.0, < 10.5.13≥ 10.11.0, < 10.11.5+2 more2025-11-27

CVE-2025-12559 [MEDIUM] CWE-200 CVE-2025-12559: Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint

nvd

CVE-2025-55074LOWCVSS 3.5≥ 10.5.0, < 10.5.12≥ 10.11.0, < 10.11.42025-11-18

CVE-2025-55074 [LOW] CWE-1426 CVE-2025-55074: Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects

nvd

CVE-2025-55070HIGHCVSS 7.5fixed in 11.0.02025-11-14

CVE-2025-55070 [HIGH] CWE-306 CVE-2025-55070: Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which a Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events

nvd

CVE-2025-11776MEDIUMCVSS 4.3fixed in 11.0.02025-11-14

CVE-2025-11776 [MEDIUM] CWE-863 CVE-2025-11776: Mattermost versions <11 fail to properly restrict access to archived channel search API which allows Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint

nvd

CVE-2025-41436MEDIUMCVSS 4.3fixed in 11.0.02025-11-14

CVE-2025-41436 [MEDIUM] CWE-863 CVE-2025-41436: Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setti Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads

nvd

CVE-2025-55073MEDIUMCVSS 5.3≥ 10.5.0, < 10.5.12≥ 10.11.0, < 10.11.4+1 more2025-11-14

CVE-2025-55073 [MEDIUM] CWE-306 CVE-2025-55073: Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the r Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.

nvd

CVE-2025-11794MEDIUMCVSS 4.9≥ 10.5.0, < 10.5.12≥ 10.11.0, < 10.11.4+1 more2025-11-14

CVE-2025-11794 [MEDIUM] CWE-200 CVE-2025-11794: Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint

nvd

CVE-2025-11777MEDIUMCVSS 4.3≥ 10.5.0, < 10.5.12≥ 10.11.0, < 10.11.42025-11-13

CVE-2025-11777 [MEDIUM] CWE-863 CVE-2025-11777: Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint

nvd

CVE-2025-58075HIGHCVSS 8.1≥ 10.5.0, < 10.5.11≥ 10.10.0, < 10.10.3+1 more2025-10-16

CVE-2025-58075 [HIGH] CWE-862 CVE-2025-58075: Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState

nvd

CVE-2025-58073HIGHCVSS 8.1≥ 10.5.0, < 10.5.11≥ 10.10.0, < 10.10.3+1 more2025-10-16

CVE-2025-58073 [HIGH] CWE-862 CVE-2025-58073: Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.

nvd

CVE-2025-41443MEDIUMCVSS 4.3≥ 10.5.0, < 10.5.11≥ 10.11.0, < 10.11.32025-10-16

CVE-2025-41443 [MEDIUM] CWE-862 CVE-2025-41443: Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permi Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint

nvd

CVE-2025-41410MEDIUMCVSS 5.4≥ 10.5.0, < 10.5.11≥ 10.10.0, < 10.10.3+1 more2025-10-16

CVE-2025-41410 [MEDIUM] CWE-862 CVE-2025-41410: Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions

nvd

CVE-2025-10545MEDIUMCVSS 4.3≥ 10.5.0, < 10.5.11≥ 10.11.0, < 10.11.32025-10-16

CVE-2025-10545 [MEDIUM] CWE-863 CVE-2025-10545: Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permi Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint

nvd

CVE-2025-54499LOWCVSS 3.7≥ 10.5.0, < 10.5.11≥ 10.11.0, < 10.11.32025-10-16

CVE-2025-54499 [LOW] CWE-208 CVE-2025-54499: Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for s Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets

nvd

CVE-2025-9079HIGHCVSS 7.2≥ 9.11.0, < 9.11.18≥ 10.5.0, < 10.5.9+3 more2025-09-19

CVE-2025-9079 [HIGH] CWE-22 CVE-2025-9079: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9. Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory

nvd

CVE-2025-9081MEDIUMCVSS 6.5≥ 9.11.0, < 9.11.17≥ 10.5.0, < 10.5.92025-09-19

CVE-2025-9081 [MEDIUM] CWE-639 CVE-2025-9081: Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls wh Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

nvd

CVE-2025-9078MEDIUMCVSS 4.3≥ 9.11.0, < 9.11.18≥ 10.5.0, < 10.5.9+3 more2025-09-15

CVE-2025-9078 [MEDIUM] CWE-328 CVE-2025-9078: Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9. Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing

nvd

CVE-2025-9076MEDIUMCVSS 6.5≥ 10.10.0, < 10.10.22025-09-15

CVE-2025-9076 [MEDIUM] CWE-862 CVE-2025-9076: Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel mem Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.

nvd

CVE-2025-9072MEDIUMCVSS 5.4≥ 10.5.0, < 10.5.10≥ 10.9.0, < 10.9.5+1 more2025-09-15

CVE-2025-9072 [MEDIUM] CWE-601 CVE-2025-9072: Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redi Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL.

nvd

CVE-2025-9084MEDIUMCVSS 6.1≥ 10.5.0, < 10.5.102025-09-15

CVE-2025-9084 [MEDIUM] CWE-601 CVE-2025-9084: Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs

nvd

← Previous5 / 21Next →