CVE Daily
← All tags

Tag: Mattermost

All CVEs associated with "Mattermost". Page 2/5 • 583 CVEs.

Subscribe CVEs: RSS for “Mattermost”  ·  RSS (High+Critical only)

About “Mattermost”

A curated feed of “Mattermost”-related CVEs appears below. We currently track 583 CVEs for this tag (all time). In the last 365 days, 159 were published. Average CVSS is 5.3 (all time; 5.1 over 365d), and 19% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-863 - Incorrect Authorization, CWE-862 - Missing Authorization, CWE-754 - Improper Check for Unusual or Exceptional Conditions.

In our taxonomy this topic maps to a MODERATE impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-10-13
Low

CVE-2025-58084

Mattermost Desktop App versions <= 5.13.0 fail to validate URLs external to the configured Mattermost servers, allowing an attacker on a server the user has configured to crash the user's application…

CVSS: 3.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
2025-09-19
Low

CVE-2025-9081

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint usin…

CVSS: 3.1 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2025-9079

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execut…

CVSS: 8.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-09-15
Low

CVE-2025-9084

Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs

CVSS: 3.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
High

CVE-2025-9072

Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates w…

CVSS: 7.6 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Medium

CVE-2025-9078

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users…

CVSS: 4.3 CWE: CWE-328 - Use of Weak Hash View on NVD
Medium

CVE-2025-9076

Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive…

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
2025-08-21
Medium

CVE-2025-8402

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bu…

CVSS: 4.9 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Medium

CVE-2025-6465

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment th…

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-8023

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin…

CVSS: 6.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Low

CVE-2025-53971

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PU…

CVSS: 3.8 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2025-49810

Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts

CVSS: 3.5 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-49222

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system a…

CVSS: 6.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Medium

CVE-2025-47870

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an tea…

CVSS: 4.3 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Low

CVE-2025-47700

Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions

CVSS: 3.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2025-36530

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to…

CVSS: 6.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-08-11
Medium

CVE-2025-8285

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create channel subscription without proper access to the channel via API cal…

CVSS: 4.0 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2025-54525

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to create channel subscription endpoint with an invalid…

CVSS: 7.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
High

CVE-2025-54478

Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to…

CVSS: 7.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-54463

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body.

CVSS: 5.9 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
Medium

CVE-2025-54458

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have…

CVSS: 5.0 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2025-53910

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create a channel subscription without proper access to the channel via API c…

CVSS: 4.0 CWE: CWE-862 - Missing Authorization View on NVD
Low

CVE-2025-53857

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via AP…

CVSS: 3.7 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2025-53514

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body.

CVSS: 5.9 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
High

CVE-2025-52931

Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to update channel subscription endpoint with an invalid…

CVSS: 7.5 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
Low

CVE-2025-49221

Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via AP…

CVSS: 3.7 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2025-48731

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have a…

CVSS: 6.4 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2025-44004

Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorizatio…

CVSS: 7.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-44001

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via AP…

CVSS: 4.0 CWE: CWE-862 - Missing Authorization View on NVD
2025-07-18
Low

CVE-2025-6227

Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization pa…

CVSS: 2.2 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Medium

CVE-2025-6233

Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin…

CVSS: 6.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-6226

Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated us…

CVSS: 6.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2025-06-30
Medium

CVE-2025-47871

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allow…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-46702

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants t…

CVSS: 5.4 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-06-20
Medium

CVE-2025-3228

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allo…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-3227

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Critical

CVE-2025-4981

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to w…

CVSS: 9.9 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
2025-06-11
Medium

CVE-2025-4573

Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with Permission…

CVSS: 4.1 CWE: CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') View on NVD
Low

CVE-2025-4128

Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams th…

CVSS: 3.1 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-05-30
Low

CVE-2025-3611

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Mana…

CVSS: 3.1 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-3230

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to m…

CVSS: 5.4 CWE: CWE-303 - Incorrect Implementation of Authentication Algorithm View on NVD
Medium

CVE-2025-2571

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to…

CVSS: 4.2 CWE: CWE-303 - Incorrect Implementation of Authentication Algorithm View on NVD
Low

CVE-2025-1792

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest u…

CVSS: 3.1 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-05-29
Medium

CVE-2025-3913

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators wit…

CVSS: 5.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-05-15
Low

CVE-2025-2570

Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `Expe…

CVSS: 2.7 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-2527

Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request.

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-3446

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite n…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-31947

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP…

CVSS: 5.8 CWE: CWE-645 - Overly Restrictive Account Lockout Mechanism View on NVD
2025-04-24
Low

CVE-2025-41423

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing…

CVSS: 3.1 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-41395

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an a…

CVSS: 6.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
Medium

CVE-2025-35965

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows…

CVSS: 6.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2025-04-16
Medium

CVE-2025-2564

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2025-31363

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an…

CVSS: 3.0 CWE: N/A View on NVD
Medium

CVE-2025-27936

Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret w…

CVSS: 5.3 CWE: CWE-208 - Observable Timing Discrepancy View on NVD
Medium

CVE-2025-27571

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2025-27538

Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with ed…

CVSS: 2.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Low

CVE-2025-24839

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to a…

CVSS: 3.1 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-04-14
Medium

CVE-2025-2475

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly on…

CVSS: 5.4 CWE: CWE-303 - Incorrect Implementation of Authentication Algorithm View on NVD
Low

CVE-2025-2424

Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata…

CVSS: 3.1 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-32093

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administrati…

CVSS: 4.7 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2025-30516

Mattermost Mobile Apps versions <=2.25.0  fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive…

CVSS: 2.0 CWE: CWE-613 - Insufficient Session Expiration View on NVD
2025-04-10
Low

CVE-2025-24866

Mattermost versions 9.11.x <= 9.11.8  fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance…

CVSS: 2.7 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-03-24
Medium

CVE-2025-1558

Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a malic…

CVSS: 6.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
2025-03-21
Medium

CVE-2025-30179

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, ch…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-27933

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to pr…

CVSS: 5.4 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2025-27715

Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links wi…

CVSS: 3.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2025-25274

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2025-25068

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-24920

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users create…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-03-19
Medium

CVE-2025-1472

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-03-17
Low

CVE-2025-1398

Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code inj…

CVSS: 3.3 CWE: CWE-426 - Untrusted Search Path View on NVD
2025-02-24
Critical

CVE-2025-25279

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitra…

CVSS: 9.9 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-24526

Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archive…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Critical

CVE-2025-24490

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve d…

CVSS: 9.6 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2025-20051

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbit…

CVSS: 9.9 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Low

CVE-2025-1412

Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on…

CVSS: 3.1 CWE: CWE-384 - Session Fixation View on NVD
2025-02-14
Low

CVE-2025-0503

Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually m…

CVSS: 3.1 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
2025-01-16
Medium

CVE-2025-20630

Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creatin…

CVSS: 6.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
Medium

CVE-2025-20621

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allo…

CVSS: 6.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
Medium

CVE-2025-20072

Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted mal…

CVSS: 6.5 CWE: CWE-704 - Incorrect Type Conversion or Cast View on NVD
Medium

CVE-2025-0476

Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the…

CVSS: 4.3 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
2025-01-15
Medium

CVE-2025-21083

Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

CVSS: 6.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
Medium

CVE-2025-20088

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a mali…

CVSS: 6.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
Medium

CVE-2025-20086

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a mali…

CVSS: 6.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
Medium

CVE-2025-20036

Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

CVSS: 6.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
Medium

CVE-2025-21088

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which…

CVSS: 6.5 CWE: CWE-704 - Incorrect Type Conversion or Cast View on NVD
2025-01-09
Low

CVE-2025-22449

Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite…

CVSS: 3.8 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2025-22445

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

CVSS: 3.5 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
Medium

CVE-2025-20033

Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins…

CVSS: 4.3 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
2024-12-16
Medium

CVE-2024-11358

Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.

CVSS: 5.7 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-54682

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by…

CVSS: 6.5 CWE: CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification) View on NVD
Medium

CVE-2024-54083

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile…

CVSS: 6.5 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
Medium

CVE-2024-48872

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to…

CVSS: 4.8 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2024-12-05
Medium

CVE-2024-12247

Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if th…

CVSS: 4.6 CWE: CWE-863 - Incorrect Authorization View on NVD
2024-11-28
High

CVE-2024-11599

Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restric…

CVSS: 8.2 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
2024-11-09
Medium

CVE-2024-52032

Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2024-42000

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels  which allows a User or System Manager, with "R…

CVSS: 2.7 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2024-36250

Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within ~30 seconds

CVSS: 3.1 CWE: CWE-303 - Incorrect Implementation of Authentication Algorithm View on NVD
2024-10-29
Medium

CVE-2024-47401

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large respon…

CVSS: 4.3 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Medium

CVE-2024-46872

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path travers…

CVSS: 4.6 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2024-50052

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an au…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-10241

Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
2024-10-28
Low

CVE-2024-10214

Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.

CVSS: 3.5 CWE: CWE-303 - Incorrect Implementation of Authentication Algorithm View on NVD
2024-09-26
Medium

CVE-2024-9155

Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2024-47145

Mattermost versions 9.5.x <= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows an attacker to view posts and files of archived chan…

CVSS: 3.1 CWE: CWE-284 - Improper Access Control View on NVD
Low

CVE-2024-47003

Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a pe…

CVSS: 3.1 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Low

CVE-2024-45843

Mattermost versions 9.5.x <= 9.5.8 fail to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, which allows an attacker to possibly cause an SSRF if Mattermost was deploy…

CVSS: 3.1 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2024-42406

Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to r…

CVSS: 5.4 CWE: CWE-284 - Improper Access Control View on NVD
2024-09-16
Low

CVE-2024-45835

Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access.

CVSS: 2.5 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Low

CVE-2024-39772

Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.

CVSS: 3.7 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-45833

Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary…

CVSS: 4.5 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Medium

CVE-2024-39613

Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of…

CVSS: 5.3 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
2024-08-23
Medium

CVE-2024-43105

Mattermost Plugin Channel Export versions <=1.0.0 fail to restrict concurrent runs of the /export command which allows a user to consume excessive resource by running the /export command multiple tim…

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-08-22
Medium

CVE-2024-43780

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-42497

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams…

CVSS: 6.0 CWE: CWE-284 - Improper Access Control View on NVD
Low

CVE-2024-40884

Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.

CVSS: 2.7 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-8071

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to…

CVSS: 4.7 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-43813

Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any…

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-42411

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to restrict the input in POST /api/v4/users which allows a user to manipulate the creation date in POST /api/…

CVSS: 5.3 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
Medium

CVE-2024-40886

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-sid…

CVSS: 4.6 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD