Mattermost Server

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605

Published: 2026-05-18T08:30:41.433Z
Updated: 2026-05-18T14:38:21.525Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607

Published: 2026-05-18T08:37:10.590Z
Updated: 2026-05-18T14:37:17.045Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614

Published: 2026-05-18T08:40:00.821Z
Updated: 2026-05-19T03:55:27.376Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591

Published: 2026-05-18T08:32:28.121Z
Updated: 2026-05-18T14:37:55.344Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory ID: MMSA-2026-00573

Published: 2026-05-18T07:08:56.863Z
Updated: 2026-05-18T12:43:56.170Z

Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636

Published: 2026-05-18T08:05:30.925Z
Updated: 2026-05-18T12:42:01.321Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582

Published: 2026-05-18T08:41:29.342Z
Updated: 2026-05-19T17:19:42.466Z

Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645

Published: 2026-05-18T08:11:13.972Z
Updated: 2026-05-18T14:40:03.490Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552

Published: 2026-05-18T08:07:06.829Z
Updated: 2026-05-18T12:41:28.632Z

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574

Published: 2026-03-26T10:43:24.611Z
Updated: 2026-03-26T13:58:41.567Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575

Published: 2026-05-18T06:56:11.868Z
Updated: 2026-05-18T14:34:29.961Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553

Published: 2026-03-16T12:07:14.659Z
Updated: 2026-03-16T13:49:55.080Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header (e.g. image/png) embedded in an og:image meta tag or Markdown image link.. Mattermost Advisory ID: MMSA-2026-00630

Published: 2026-05-15T18:32:44.388Z
Updated: 2026-05-15T20:23:24.121Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints.. Mattermost Advisory ID: MMSA-2026-00631

Published: 2026-05-15T18:42:47.149Z
Updated: 2026-05-15T20:01:17.492Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627

Published: 2026-05-18T06:53:29.311Z
Updated: 2026-05-18T14:35:00.560Z

Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624

Published: 2026-04-15T11:00:14.880Z
Updated: 2026-04-15T14:00:27.030Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622

Published: 2026-05-18T06:58:29.673Z
Updated: 2026-05-18T14:33:30.914Z

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594

Published: 2026-03-26T16:23:05.887Z
Updated: 2026-03-26T17:51:14.689Z

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly compressed entries (zip bombs) that exhaust server memory.. Mattermost Advisory ID: MMSA-2026-00598

Published: 2026-03-26T16:21:19.421Z
Updated: 2026-03-26T17:51:14.833Z

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export.. Mattermost Advisory ID: MMSA-2026-00593

Published: 2026-03-26T16:18:06.693Z
Updated: 2026-03-26T17:51:15.160Z

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in support packet generation. Mattermost Advisory ID: MMSA-2025-00562

Published: 2026-03-26T16:29:54.399Z
Updated: 2026-03-26T16:51:15.488Z

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599

Published: 2026-03-26T16:16:49.790Z
Updated: 2026-03-27T03:55:41.498Z

Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579

Published: 2026-03-16T11:58:09.834Z
Updated: 2026-03-16T13:49:55.812Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565

Published: 2026-03-16T11:13:57.575Z
Updated: 2026-03-16T13:49:58.332Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528

Published: 2026-03-16T12:00:21.069Z
Updated: 2026-03-17T03:55:27.849Z

Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559

Published: 2026-03-16T11:16:32.720Z
Updated: 2026-03-16T13:49:57.924Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID: MMSA-2025-00568

Published: 2026-03-16T11:27:49.310Z
Updated: 2026-03-16T13:49:57.631Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisory ID: MMSA-2025-00569

Published: 2026-03-16T11:20:25.335Z
Updated: 2026-03-16T13:49:57.761Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an arbitrarily large response when a user clicks an interactive message button.. Mattermost Advisory ID: MMSA-2026-00571

Published: 2026-03-16T11:06:44.920Z
Updated: 2026-03-16T13:49:58.650Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1]).. Mattermost Advisory ID: MMSA-2026-00585

Published: 2026-03-16T14:53:31.280Z
Updated: 2026-03-16T18:38:07.619Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: MMSA-2025-00537

Published: 2026-03-16T20:10:16.644Z
Updated: 2026-03-17T13:37:43.947Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/api/v1/meetings}}.. Mattermost Advisory ID: MMSA-2026-00608

Published: 2026-05-18T06:51:47.104Z
Updated: 2026-05-18T14:35:38.548Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576

Published: 2026-05-18T06:50:07.346Z
Updated: 2026-05-18T14:36:08.107Z

Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625

Published: 2026-04-15T10:13:33.950Z
Updated: 2026-04-15T15:39:52.265Z

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597

Published: 2026-05-18T08:35:40.393Z
Updated: 2026-05-18T14:37:33.547Z

Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Mattermost Advisory ID: MMSA-2026-00603

Published: 2026-04-15T10:11:07.676Z
Updated: 2026-04-15T13:08:35.452Z

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request.. Mattermost Advisory ID: MMSA-2026-00578

Published: 2026-03-25T16:33:32.724Z
Updated: 2026-03-25T17:39:28.092Z

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow.. Mattermost Advisory ID: MMSA-2026-00590

Published: 2026-03-25T16:28:29.739Z
Updated: 2026-03-26T13:19:52.338Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542

Published: 2026-03-16T19:53:21.650Z
Updated: 2026-03-17T13:38:03.996Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00572

Published: 2026-03-16T11:33:02.591Z
Updated: 2026-03-16T13:49:57.467Z

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566

Published: 2026-03-25T16:24:47.694Z
Updated: 2026-03-27T14:59:50.732Z

Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531

Published: 2026-03-16T20:19:51.287Z
Updated: 2026-03-17T13:37:17.914Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586

Published: 2026-03-16T12:04:18.478Z
Updated: 2026-03-16T13:49:55.332Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Mattermost Advisory ID: MMSA-2026-00581

Published: 2026-03-16T12:59:13.620Z
Updated: 2026-03-16T13:49:54.865Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554

Published: 2026-03-16T14:56:45.323Z
Updated: 2026-03-16T18:19:26.675Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587

Published: 2026-03-16T12:02:23.223Z
Updated: 2026-03-16T13:49:55.523Z

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550

Published: 2026-02-13T10:29:00.943Z
Updated: 2026-02-13T17:03:30.894Z

Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID: MMSA-2026-00583

Published: 2026-03-16T14:54:45.344Z
Updated: 2026-03-16T18:15:37.142Z

Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610

Published: 2026-04-09T10:09:23.899Z
Updated: 2026-04-09T11:44:54.614Z

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588

Published: 2026-03-16T14:51:43.263Z
Updated: 2026-03-16T18:39:14.064Z

Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549

Published: 2026-02-13T10:30:03.445Z
Updated: 2026-02-13T17:02:25.985Z

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitHub.. Mattermost Advisory ID: MMSA-2026-00595

Published: 2026-03-25T16:30:47.041Z
Updated: 2026-03-26T17:11:21.474Z

Mattermost versions 10.11.x <= 10.11.10 Fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache reset or relogin.. Mattermost Advisory ID: MMSA-2026-00580

Published: 2026-03-16T20:24:05.415Z
Updated: 2026-03-17T13:36:52.223Z

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548

Published: 2026-02-16T09:47:45.960Z
Updated: 2026-02-17T16:53:07.181Z

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534

Published: 2026-02-16T09:54:24.732Z
Updated: 2026-02-17T15:00:44.691Z

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558

Published: 2026-02-16T09:58:41.450Z
Updated: 2026-02-17T15:00:18.867Z

Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs

Published: 2025-09-15T10:22:30.184Z
Updated: 2025-09-15T12:24:41.138Z

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

Published: 2025-09-19T19:36:14.702Z
Updated: 2025-09-19T19:52:03.664Z

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory

Published: 2025-09-19T19:22:00.288Z
Updated: 2026-02-26T17:48:20.487Z

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing

Published: 2025-09-15T10:10:06.886Z
Updated: 2025-09-15T13:57:49.086Z

Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.

Published: 2025-09-15T10:06:15.094Z
Updated: 2025-09-15T14:05:16.235Z

Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL.

Published: 2025-09-15T10:28:17.356Z
Updated: 2025-09-15T12:06:57.518Z

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.

Published: 2025-08-21T17:01:43.420Z
Updated: 2025-08-21T17:30:38.422Z

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.

Published: 2025-08-21T07:51:37.130Z
Updated: 2025-08-21T14:50:55.341Z

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.

Published: 2025-08-21T17:01:42.866Z
Updated: 2025-08-21T17:30:45.951Z

Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.

Published: 2025-07-18T09:09:22.809Z
Updated: 2025-07-18T12:30:35.494Z

Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.

Published: 2025-07-18T11:39:46.005Z
Updated: 2025-07-18T13:44:00.998Z

Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.

Published: 2025-07-18T08:48:02.717Z
Updated: 2025-08-07T09:53:06.698Z

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts

Published: 2025-12-24T08:02:55.476Z
Updated: 2025-12-24T16:35:17.618Z

Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab.

Published: 2025-12-17T12:19:17.658Z
Updated: 2025-12-17T14:45:57.830Z

Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link

Published: 2025-12-17T12:07:37.516Z
Updated: 2025-12-17T15:47:20.828Z

Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState

Published: 2025-10-16T08:20:06.939Z
Updated: 2026-02-26T16:57:27.125Z

Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.

Published: 2025-10-16T08:44:26.158Z
Updated: 2026-02-26T16:57:26.083Z

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects

Published: 2025-11-18T15:23:29.642Z
Updated: 2025-11-18T21:03:22.890Z

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.

Published: 2025-11-14T08:03:16.922Z
Updated: 2025-11-14T15:46:58.129Z

Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events

Published: 2025-11-14T08:02:24.764Z
Updated: 2025-11-14T15:47:52.338Z

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets

Published: 2025-10-16T08:17:20.937Z
Updated: 2025-10-16T13:51:10.320Z

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.

Published: 2025-08-21T07:31:01.870Z
Updated: 2025-08-21T14:51:19.669Z

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

Published: 2025-06-20T10:27:13.471Z
Updated: 2025-06-20T13:10:32.981Z

Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute.

Published: 2025-06-11T10:22:24.103Z
Updated: 2025-06-11T13:13:11.535Z

Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.

Published: 2025-06-11T10:25:04.917Z
Updated: 2025-06-11T13:12:40.338Z

Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts

Published: 2025-08-21T07:15:27.928Z
Updated: 2025-08-21T13:49:24.983Z

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.

Published: 2025-08-21T07:59:45.057Z
Updated: 2025-08-21T13:57:13.759Z

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint.

Published: 2025-06-30T16:51:13.979Z
Updated: 2025-06-30T20:48:41.938Z

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.

Published: 2025-08-21T08:02:44.934Z
Updated: 2025-08-21T13:53:10.862Z

Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions

Published: 2025-08-21T07:28:37.220Z
Updated: 2025-08-21T14:53:18.203Z

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized access to sensitive channel content and allow guest users to gain channel management privileges.

Published: 2025-06-30T16:51:13.440Z
Updated: 2025-06-30T20:49:08.152Z

Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint

Published: 2025-10-16T08:10:40.582Z
Updated: 2025-10-29T08:06:29.837Z

Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads

Published: 2025-11-14T08:00:42.467Z
Updated: 2025-11-14T15:48:31.081Z

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.

Published: 2025-04-24T06:50:12.214Z
Updated: 2025-04-24T13:06:53.385Z

Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions

Published: 2025-10-16T08:39:58.233Z
Updated: 2025-10-16T14:00:19.181Z

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of service (DoS) of the web app for all users.

Published: 2025-04-24T06:48:31.087Z
Updated: 2025-04-24T13:58:04.968Z

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.

Published: 2025-05-29T15:10:36.914Z
Updated: 2025-05-29T15:43:16.437Z

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.

Published: 2025-05-30T14:22:09.854Z
Updated: 2025-05-30T14:37:42.109Z

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team.

Published: 2025-05-15T10:43:46.639Z
Updated: 2025-05-15T13:41:54.267Z

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.

Published: 2025-05-30T14:22:09.392Z
Updated: 2025-05-30T14:42:40.557Z

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.

Published: 2025-06-20T14:31:49.162Z
Updated: 2025-06-23T20:45:21.017Z

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

Published: 2025-06-20T14:31:48.644Z
Updated: 2025-06-23T20:44:50.189Z

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

Published: 2025-08-21T07:11:43.241Z
Updated: 2025-08-21T13:50:42.949Z

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.

Published: 2025-04-24T06:49:22.669Z
Updated: 2025-04-24T13:06:59.413Z

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation.

Published: 2025-04-14T06:57:54.208Z
Updated: 2025-04-14T13:58:29.741Z

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Mattermost.

Published: 2025-05-15T10:41:42.104Z
Updated: 2025-05-15T13:46:27.427Z

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool.

Published: 2025-04-16T09:14:15.992Z
Updated: 2025-04-16T14:33:01.674Z

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.

Published: 2025-03-21T08:24:57.929Z
Updated: 2025-03-21T17:27:31.203Z

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

Published: 2025-05-30T14:22:08.913Z
Updated: 2025-05-30T14:44:40.129Z

Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console.

Published: 2025-05-15T15:27:50.280Z
Updated: 2025-05-15T15:47:16.151Z

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.

Published: 2025-04-16T16:12:14.742Z
Updated: 2025-04-17T19:41:45.158Z

Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request.

Published: 2025-05-15T15:27:49.780Z
Updated: 2025-05-15T15:47:55.224Z

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials.

Published: 2025-04-14T14:49:36.261Z
Updated: 2025-04-14T14:59:27.677Z

Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.

Published: 2025-04-14T14:49:35.783Z
Updated: 2025-04-14T15:00:45.367Z

Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.

Published: 2025-04-16T09:14:55.095Z
Updated: 2025-04-16T14:32:45.176Z

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public

Published: 2025-03-21T08:23:20.955Z
Updated: 2025-03-21T13:32:57.219Z

Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.

Published: 2025-03-21T08:22:25.321Z
Updated: 2025-03-21T13:35:01.832Z

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived.

Published: 2025-04-16T07:45:58.802Z
Updated: 2025-04-16T14:34:19.313Z

Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.

Published: 2025-04-16T07:45:01.229Z
Updated: 2025-04-16T14:34:29.842Z

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.

Published: 2025-02-24T07:25:26.792Z
Updated: 2025-02-24T11:22:50.849Z

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.

Published: 2025-03-21T08:24:13.165Z
Updated: 2025-03-21T17:27:56.172Z

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.

Published: 2025-03-21T08:26:32.027Z
Updated: 2025-03-21T12:25:55.494Z

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels

Published: 2025-03-21T08:25:44.676Z
Updated: 2025-03-21T12:28:00.367Z

Mattermost versions 9.11.x <= 9.11.8  fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs.

Published: 2025-04-10T15:33:21.882Z
Updated: 2025-04-10T15:43:54.351Z

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled.

Published: 2025-04-16T07:44:20.844Z
Updated: 2025-04-16T14:34:44.172Z

Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it

Published: 2025-02-24T07:23:23.331Z
Updated: 2025-02-24T11:24:41.215Z

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reordering specially crafted boards categories.

Published: 2025-02-24T07:26:30.679Z
Updated: 2025-02-24T11:21:41.385Z

Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

Published: 2025-01-09T06:54:53.029Z
Updated: 2025-01-09T15:29:20.571Z

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

Published: 2025-01-09T06:55:13.389Z
Updated: 2025-01-09T15:46:51.120Z

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.

Published: 2025-01-15T15:51:49.474Z
Updated: 2025-01-15T16:20:11.778Z

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel.

Published: 2025-01-16T18:16:28.042Z
Updated: 2025-01-16T18:57:02.927Z

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

Published: 2025-01-15T16:49:51.532Z
Updated: 2025-02-12T20:31:20.164Z

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

Published: 2025-01-15T16:49:51.066Z
Updated: 2025-02-12T20:31:20.302Z

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.

Published: 2025-02-24T07:27:23.182Z
Updated: 2025-02-24T11:20:04.651Z

Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.

Published: 2025-01-09T06:55:02.063Z
Updated: 2025-01-09T15:05:20.599Z

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.

Published: 2025-05-30T14:22:08.404Z
Updated: 2025-06-12T17:07:00.539Z

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

Published: 2025-03-19T14:11:03.977Z
Updated: 2025-03-19T14:40:59.930Z

Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.

Published: 2025-02-24T07:24:47.043Z
Updated: 2025-02-24T11:23:35.862Z

Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens

Published: 2026-01-16T08:52:43.848Z
Updated: 2026-01-16T13:00:45.911Z

Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

Published: 2026-02-16T12:25:32.672Z
Updated: 2026-02-17T17:05:49.640Z

Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.

Published: 2026-01-16T11:25:35.817Z
Updated: 2026-01-16T14:09:00.429Z

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563

Published: 2026-02-16T12:05:33.312Z
Updated: 2026-02-17T17:06:07.112Z

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555

Published: 2025-12-22T11:24:55.893Z
Updated: 2025-12-22T12:59:27.938Z

Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to

Published: 2025-12-02T09:28:44.436Z
Updated: 2025-12-02T14:38:23.000Z

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

Published: 2026-02-16T11:57:25.588Z
Updated: 2026-02-17T17:06:14.279Z

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.

Published: 2025-12-24T08:01:27.157Z
Updated: 2025-12-24T16:36:22.999Z

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

Published: 2025-12-17T12:11:25.563Z
Updated: 2025-12-17T16:48:08.118Z

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

Published: 2025-12-17T18:14:13.347Z
Updated: 2025-12-24T10:16:53.096Z

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.

Published: 2025-12-01T19:51:46.289Z
Updated: 2025-12-01T20:02:24.869Z

Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.

Published: 2025-12-17T18:14:10.973Z
Updated: 2025-12-17T19:29:54.734Z

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint

Published: 2025-11-27T16:36:30.545Z
Updated: 2025-11-28T15:20:44.142Z

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).

Published: 2025-11-27T17:47:04.944Z
Updated: 2026-02-26T16:07:25.754Z

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.

Published: 2025-11-27T15:55:44.815Z
Updated: 2026-02-26T16:07:27.036Z

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint

Published: 2025-11-14T10:45:39.244Z
Updated: 2025-12-01T15:36:58.365Z

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint

Published: 2025-11-13T17:32:03.975Z
Updated: 2025-11-13T18:01:46.459Z

Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint

Published: 2025-11-14T07:58:52.172Z
Updated: 2025-11-14T15:49:13.309Z

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint

Published: 2025-10-16T08:24:25.928Z
Updated: 2025-10-16T14:14:09.887Z

Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.

Published: 2025-02-14T17:52:17.895Z
Updated: 2025-02-14T18:09:02.166Z

Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of.

Published: 2024-09-26T14:57:43.987Z
Updated: 2024-09-26T15:17:25.819Z

Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished.

Published: 2024-05-26T13:29:57.813Z
Updated: 2024-08-01T21:11:12.451Z

Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider.

Published: 2024-05-26T13:30:53.070Z
Updated: 2024-08-01T21:11:12.407Z

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

Published: 2024-12-16T08:03:44.318Z
Updated: 2024-12-16T16:03:22.685Z

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.

Published: 2024-12-16T08:02:19.214Z
Updated: 2024-12-16T16:04:03.406Z

Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels names of channels that they are not a member of, when Elasticsearch v8 was enabled.

Published: 2024-11-09T17:19:35.639Z
Updated: 2024-11-12T14:52:07.690Z

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.

Published: 2024-10-29T08:10:17.129Z
Updated: 2024-10-29T12:52:31.657Z

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.

Published: 2024-04-26T08:26:11.493Z
Updated: 2024-08-01T20:33:52.786Z

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

Published: 2024-04-26T08:26:00.685Z
Updated: 2024-08-01T20:33:52.915Z

Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.

Published: 2024-04-26T08:25:47.088Z
Updated: 2024-08-01T20:33:52.871Z

Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.

Published: 2024-04-26T08:25:37.093Z
Updated: 2024-08-01T20:33:52.520Z

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests

Published: 2024-12-16T08:01:01.444Z
Updated: 2024-12-16T16:04:58.409Z

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by sending a specially crafted request to Playbooks.

Published: 2024-10-29T08:11:17.553Z
Updated: 2024-10-29T12:52:04.161Z

Mattermost versions 9.5.x <= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows an attacker to view posts and files of archived channels via file links.

Published: 2024-09-26T08:01:48.199Z
Updated: 2024-09-26T13:12:52.240Z

Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend.

Published: 2024-09-26T08:05:16.392Z
Updated: 2024-09-26T13:11:00.827Z

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks

Published: 2024-10-29T08:12:12.736Z
Updated: 2024-10-29T12:51:14.111Z

Mattermost versions 9.5.x <= 9.5.8 fail to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, which allows an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba.

Published: 2024-09-26T08:03:41.827Z
Updated: 2024-09-26T13:11:54.474Z

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.

Published: 2024-08-22T15:17:11.947Z
Updated: 2024-08-22T16:06:25.703Z

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.

Published: 2024-08-22T15:17:11.468Z
Updated: 2024-08-22T15:31:45.824Z

Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.

Published: 2024-09-26T08:04:22.939Z
Updated: 2024-09-26T13:11:34.682Z

Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels  which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that they were not a member of by sending a request to /api/v4/channels.

Published: 2024-11-09T17:17:25.038Z
Updated: 2024-11-12T14:53:08.813Z

Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.

Published: 2024-08-01T14:05:10.650Z
Updated: 2024-08-01T14:32:10.107Z

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only.

Published: 2024-08-01T14:05:09.501Z
Updated: 2024-08-02T15:01:29.868Z

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled,  which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels

Published: 2024-08-01T14:05:08.491Z
Updated: 2024-08-05T16:58:34.663Z

Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.

Published: 2024-08-22T15:17:10.938Z
Updated: 2024-08-22T18:08:37.730Z

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.

Published: 2024-08-01T14:05:07.339Z
Updated: 2024-08-01T18:04:42.351Z

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.

Published: 2024-08-01T14:05:06.182Z
Updated: 2024-08-01T20:47:51.530Z

Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly runs a slash command in some arbitrary channel.

Published: 2024-05-26T13:32:56.087Z
Updated: 2024-08-02T03:37:03.667Z

Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within ~30 seconds

Published: 2024-11-09T17:18:34.703Z
Updated: 2024-11-12T14:52:39.191Z

Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access controls which allows user to view arbitrary post contents via the /playbook add slash command

Published: 2024-05-26T13:32:18.865Z
Updated: 2024-08-02T03:30:13.174Z

Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper access control which allows a guest to get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRuns GraphQL query request to the server

Published: 2024-05-26T13:28:16.722Z
Updated: 2024-09-03T16:03:29.404Z

Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x <= 8.1.12 fail to perform a proper authorization check in the /api/v4/groups/<group-id>/channels/<channel-id>/link endpoint which allows a user to learn the members of an AD/LDAP group that is linked to a team by adding the group to a channel, even if the user has no access to the team.

Published: 2024-05-26T13:27:27.082Z
Updated: 2024-08-02T02:42:59.966Z

Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored

Published: 2024-04-26T08:24:50.696Z
Updated: 2024-08-02T02:06:42.822Z

Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of.

Published: 2024-05-26T13:29:07.516Z
Updated: 2024-08-02T02:06:42.837Z

Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin

Published: 2024-05-26T13:31:42.704Z
Updated: 2024-08-02T01:59:49.900Z

Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.

Published: 2024-03-15T09:12:28.880Z
Updated: 2024-08-02T20:35:32.666Z

Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.

Published: 2024-04-05T08:52:59.664Z
Updated: 2024-08-01T19:11:53.562Z

Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.

Published: 2024-03-15T09:11:21.446Z
Updated: 2024-08-01T19:11:53.477Z

Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.

Published: 2024-03-15T09:19:50.127Z
Updated: 2024-08-01T19:11:53.602Z

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.

Published: 2024-04-05T08:15:07.130Z
Updated: 2024-08-02T01:10:54.523Z

Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access control which allows a user to run a slash command in a channel they are not a member of via linking a playbook run to that channel and running a slash command as a playbook task command.

Published: 2024-05-26T13:33:41.791Z
Updated: 2024-08-02T01:10:54.568Z

Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.

Published: 2024-04-05T08:14:09.878Z
Updated: 2024-09-03T18:35:47.389Z

Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.

Published: 2024-03-15T09:08:04.993Z
Updated: 2024-08-12T13:40:25.079Z

Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.

Published: 2024-02-29T08:06:28.334Z
Updated: 2024-08-01T23:36:21.288Z

Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts being leaked to a user without permissions.

Published: 2024-02-09T14:50:45.443Z
Updated: 2024-08-01T23:28:12.437Z

Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in registered users on Jira being able to create webhooks that give them access to all Jira issues.

Published: 2024-02-09T14:46:58.777Z
Updated: 2024-08-21T15:26:06.746Z

Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of. 

Published: 2024-02-29T08:02:32.128Z
Updated: 2024-08-01T23:06:24.717Z

Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled.

Published: 2024-02-29T08:03:20.744Z
Updated: 2024-08-01T23:06:24.721Z

Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message.

Published: 2024-02-09T14:42:22.126Z
Updated: 2024-08-01T22:59:32.207Z

Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths

Published: 2024-04-26T08:24:34.049Z
Updated: 2024-08-01T22:35:34.806Z

Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel

Published: 2024-04-05T08:13:01.713Z
Updated: 2025-02-27T19:28:16.621Z

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.

Published: 2024-02-29T10:42:41.576Z
Updated: 2024-08-16T20:58:25.047Z

Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of.

Published: 2024-02-29T10:42:15.362Z
Updated: 2025-04-22T15:52:35.817Z

A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts.

Published: 2024-02-29T10:41:54.916Z
Updated: 2024-08-01T18:56:22.631Z

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.

Published: 2024-02-29T10:41:38.292Z
Updated: 2024-08-12T13:16:32.143Z

Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server

Published: 2024-02-29T08:08:08.272Z
Updated: 2024-08-01T18:56:22.307Z

Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of the public channel to fetch the posts, which will not be audited in the compliance export. 

Published: 2024-02-29T08:05:29.776Z
Updated: 2024-08-07T17:38:09.687Z

Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post and to crash the server due to overloading when clients attempt to retrive the aforementioned post. 

Published: 2024-02-09T15:09:18.157Z
Updated: 2024-08-01T18:40:20.579Z

Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.

Published: 2024-12-05T15:20:49.383Z
Updated: 2024-12-05T16:58:59.768Z

Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration.

Published: 2024-11-28T09:42:48.141Z
Updated: 2024-11-29T19:55:00.509Z

Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.

Published: 2024-10-29T08:08:20.873Z
Updated: 2024-10-29T12:52:53.569Z

Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.

Published: 2023-12-29T12:46:13.932Z
Updated: 2024-08-02T08:50:08.283Z

Mattermost fails to perform correct authorization checks when creating a playbook action, allowing users without access to the playbook to create playbook actions. If the playbook action created is to post a message in a channel based on specific keywords in a post, some playbook information, like the name, can be leaked. 

Published: 2023-12-12T10:53:02.127Z
Updated: 2025-05-24T10:25:36.906Z

Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team. 

Published: 2023-12-12T08:22:41.419Z
Updated: 2025-05-12T19:28:29.898Z

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.

Published: 2023-12-06T08:11:36.417Z
Updated: 2024-12-16T16:02:20.087Z

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal.

Published: 2023-12-06T08:10:18.481Z
Updated: 2024-08-02T08:28:21.829Z

Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs.

Published: 2023-10-09T10:41:36.597Z
Updated: 2024-09-05T19:46:32.169Z

Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.

Published: 2023-10-09T10:40:26.436Z
Updated: 2024-09-05T19:47:23.046Z

Mattermost fails to enforce a limit for the size of the cache entry for OpenGraph data allowing an attacker to send a specially crafted request to the /api/v4/opengraph filling the cache and turning the server unavailable.

Published: 2023-10-09T10:38:39.415Z
Updated: 2024-09-05T19:47:56.144Z

Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names.

Published: 2024-01-02T09:53:01.990Z
Updated: 2025-06-17T13:35:30.706Z

Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.

Published: 2023-08-25T09:06:06.310Z
Updated: 2024-09-30T18:17:59.871Z

Mattermost fails to check whether a user is a guest when updating the tasks of a private playbook run allowing a guest to update the tasks of a private playbook run if they know the run ID.

Published: 2023-12-12T08:17:53.947Z
Updated: 2024-08-02T22:01:26.180Z

Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled. 

Published: 2023-12-12T08:20:08.321Z
Updated: 2024-08-02T22:01:26.051Z

Mattermost fails to validate the type of the "reminder" body request parameter allowing an attacker to crash the Playbook Plugin when updating the status dialog.

Published: 2023-12-12T08:21:36.568Z
Updated: 2024-08-02T22:01:26.012Z

Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.

Published: 2024-01-02T09:52:01.147Z
Updated: 2025-06-03T14:45:52.518Z

Mattermost fails to properly verify the permissions needed for viewing archived public channels,  allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint.

Published: 2024-01-02T09:54:25.057Z
Updated: 2025-06-17T20:29:05.638Z

Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID

Published: 2023-12-12T08:19:22.274Z
Updated: 2024-08-02T20:53:20.920Z

Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin

Published: 2023-12-12T08:17:10.088Z
Updated: 2024-12-02T16:58:14.026Z

Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack.

Published: 2023-12-12T08:23:17.299Z
Updated: 2025-05-24T10:26:51.058Z

Mattermost fails to properly validate a gif image file, allowing an attacker to consume a significant amount of server resources, making the server unresponsive for an extended period of time by linking to specially crafted image file.

Published: 2023-07-17T15:32:16.646Z
Updated: 2024-10-21T19:39:59.068Z

Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.

Published: 2023-07-17T15:31:23.674Z
Updated: 2024-10-21T19:39:44.854Z

Mattermost fails to properly validate markdown, allowing an attacker to crash the server via a specially crafted markdown input.

Published: 2023-07-17T15:38:57.759Z
Updated: 2024-10-21T19:40:56.331Z

Mattermost fails to invalidate previously generated password reset tokens when a new reset token was created.

Published: 2023-07-17T15:30:05.295Z
Updated: 2024-10-21T19:39:25.304Z

Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.

Published: 2023-07-17T15:28:50.860Z
Updated: 2024-10-21T19:43:23.581Z

Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions.

Published: 2023-07-17T15:26:51.996Z
Updated: 2024-10-22T13:40:42.183Z

Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible.

Published: 2023-07-17T15:25:30.532Z
Updated: 2024-10-22T13:40:29.225Z

Mattermost Boards fail to properly validate a board link, allowing an attacker to crash a channel by posting a specially crafted boards link.

Published: 2023-07-17T15:24:20.975Z
Updated: 2024-10-21T19:43:02.507Z

Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.

Published: 2023-07-17T15:23:02.918Z
Updated: 2024-10-21T19:50:40.857Z

Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to, 

Published: 2023-07-17T15:21:35.038Z
Updated: 2024-10-21T19:59:17.695Z

Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.

Published: 2023-07-17T15:20:00.186Z
Updated: 2024-10-30T13:54:50.335Z

Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.

Published: 2023-07-17T15:18:07.871Z
Updated: 2024-10-21T19:58:58.448Z

Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin

Published: 2023-05-12T08:53:44.111Z
Updated: 2024-12-06T23:04:24.695Z

When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team.

Published: 2023-04-25T13:04:42.287Z
Updated: 2024-12-06T23:04:46.320Z

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.

Published: 2023-02-27T14:46:28.880Z
Updated: 2024-12-06T23:06:25.577Z

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.

Published: 2023-02-27T14:46:23.494Z
Updated: 2024-12-06T23:06:38.055Z

Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).

Published: 2023-04-17T14:21:13.233Z
Updated: 2024-12-06T23:05:08.457Z

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.

Published: 2023-03-31T11:35:22.813Z
Updated: 2024-12-06T23:05:19.185Z

Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.

Published: 2023-03-31T11:29:36.185Z
Updated: 2024-12-06T23:05:30.076Z

When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.

Published: 2023-03-31T11:26:21.640Z
Updated: 2024-12-06T23:05:41.615Z

When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.

Published: 2023-03-31T11:14:00.954Z
Updated: 2024-12-06T23:05:52.973Z

A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter.

Published: 2023-03-15T22:51:25.597Z
Updated: 2024-12-06T23:06:14.595Z

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.

Published: 2022-09-23T14:13:39.000Z
Updated: 2024-12-06T23:07:48.369Z

Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service.

Published: 2022-09-09T14:39:51.000Z
Updated: 2024-12-06T23:08:00.683Z

Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.

Published: 2022-07-14T17:20:49.000Z
Updated: 2024-12-06T23:08:34.889Z

Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers.

Published: 2022-07-11T14:08:50.000Z
Updated: 2024-12-06T23:08:46.139Z

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.

Published: 2022-06-02T17:03:07.000Z
Updated: 2024-12-06T23:08:59.559Z

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

Published: 2022-04-19T20:26:27.000Z
Updated: 2024-12-06T23:09:33.235Z

Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.

Published: 2022-04-19T20:26:28.000Z
Updated: 2024-12-06T23:09:22.478Z

The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files.

Published: 2022-04-13T17:06:00.000Z
Updated: 2024-12-06T23:10:06.768Z

One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents.

Published: 2022-04-13T17:06:03.000Z
Updated: 2024-12-06T23:09:44.384Z

A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document.

Published: 2022-03-09T15:21:17.000Z
Updated: 2024-12-06T23:10:39.908Z

A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.

Published: 2022-03-09T15:17:27.000Z
Updated: 2024-12-06T23:10:52.487Z

Mattermost 6.0 and earlier fails to sufficiently validate parameters during post creation, which allows authenticated attackers to cause a client-side crash of the web application via a maliciously crafted post.

Published: 2021-12-17T16:10:30.000Z
Updated: 2024-08-04T01:30:08.631Z

Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token.

Published: 2021-12-17T16:10:29.000Z
Updated: 2024-08-04T01:30:09.135Z

An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001.

Published: 2020-06-19T13:16:12.000Z
Updated: 2024-08-04T12:46:34.481Z

An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002.

Published: 2020-06-19T13:15:13.000Z
Updated: 2024-08-04T12:46:34.668Z

An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004.

Published: 2020-06-19T13:14:22.000Z
Updated: 2024-08-04T12:46:34.547Z

An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.

Published: 2020-06-19T13:13:32.000Z
Updated: 2024-08-04T12:46:34.484Z

An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005.

Published: 2020-06-19T13:10:05.000Z
Updated: 2024-08-04T12:46:34.635Z

An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.

Published: 2020-06-19T13:09:31.000Z
Updated: 2024-08-04T12:46:34.538Z

An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service (client-side), aka MMSA-2020-0017.

Published: 2020-06-19T13:07:52.000Z
Updated: 2024-08-04T12:46:34.627Z

An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0020.

Published: 2020-06-19T13:05:34.000Z
Updated: 2024-08-04T12:46:34.326Z

An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite loop), aka MMSA-2020-0021.

Published: 2020-06-19T13:04:19.000Z
Updated: 2024-08-04T12:46:34.187Z

An issue was discovered in Mattermost Server before 5.7. It allows a bypass of e-mail address discovery restrictions.

Published: 2020-06-19T16:44:59.000Z
Updated: 2024-08-05T02:53:09.474Z

An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation.

Published: 2020-06-19T16:47:07.000Z
Updated: 2024-08-05T02:53:09.488Z

An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a slash command integration.

Published: 2020-06-19T16:46:39.000Z
Updated: 2024-08-05T02:53:09.641Z

An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.

Published: 2020-06-19T16:39:39.000Z
Updated: 2024-08-05T02:53:09.598Z

An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.

Published: 2020-06-19T16:45:44.000Z
Updated: 2024-08-05T02:53:09.450Z

An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.

Published: 2020-06-19T16:39:33.000Z
Updated: 2024-08-05T02:53:09.487Z

An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post.

Published: 2020-06-19T16:42:05.000Z
Updated: 2024-08-05T02:53:09.448Z

An issue was discovered in Mattermost Server before 5.8.0, when Town Square is set to Read-Only. Users can pin or unpin a post.

Published: 2020-06-19T16:39:30.000Z
Updated: 2024-08-05T02:53:09.428Z

An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team.

Published: 2020-06-19T16:39:23.000Z
Updated: 2024-08-05T02:53:09.425Z

An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.

Published: 2020-06-19T16:29:01.000Z
Updated: 2024-08-05T02:53:09.496Z

An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service (memory consumption) via OpenGraph.

Published: 2020-06-19T16:29:00.000Z
Updated: 2024-08-05T02:53:09.499Z

An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. Changes to e-mail addresses do not require credential re-entry.

Published: 2020-06-19T16:29:00.000Z
Updated: 2024-08-05T02:53:09.541Z

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Changes, within the application, to e-mail addresses are mishandled.

Published: 2020-06-19T16:29:00.000Z
Updated: 2024-08-05T02:53:09.540Z

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled.

Published: 2020-06-19T16:28:20.000Z
Updated: 2024-08-05T02:53:09.368Z

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy.

Published: 2020-06-19T16:22:57.000Z
Updated: 2024-08-05T02:53:09.458Z

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail address is being changed.

Published: 2020-06-19T16:22:05.000Z
Updated: 2024-08-05T02:53:09.539Z

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change.

Published: 2020-06-19T15:42:50.000Z
Updated: 2024-08-05T02:53:09.546Z

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation.

Published: 2020-06-19T15:24:13.000Z
Updated: 2024-08-05T02:53:09.459Z

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services.

Published: 2020-06-19T15:23:27.000Z
Updated: 2024-08-05T02:53:09.430Z

An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking.

Published: 2020-06-19T15:22:39.000Z
Updated: 2024-08-05T02:53:09.535Z

An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post's file ID.

Published: 2020-06-19T15:21:54.000Z
Updated: 2024-08-05T02:53:09.364Z

An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel.

Published: 2020-06-19T15:21:12.000Z
Updated: 2024-08-05T02:53:09.541Z

An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated.

Published: 2020-06-19T15:19:47.000Z
Updated: 2024-08-05T02:53:09.550Z

An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel's post loading via one crafted post.

Published: 2020-06-19T15:18:25.000Z
Updated: 2024-08-05T02:53:09.455Z

An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.

Published: 2020-06-19T15:13:15.000Z
Updated: 2024-08-05T02:53:09.422Z

An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.

Published: 2020-06-19T15:12:28.000Z
Updated: 2024-08-05T02:53:09.424Z

An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted.

Published: 2020-06-19T14:18:41.000Z
Updated: 2024-08-05T02:53:09.472Z

An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands.

Published: 2020-06-19T14:17:46.000Z
Updated: 2024-08-05T02:53:09.407Z

An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of service (application hang) via a crafted SVG document.

Published: 2020-06-19T14:14:57.000Z
Updated: 2024-08-05T02:53:09.427Z

An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input.

Published: 2020-06-19T14:13:02.000Z
Updated: 2024-08-05T02:53:09.405Z

An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted characters in a SQL LIKE clause to an APIv4 endpoint.

Published: 2020-06-19T14:11:43.000Z
Updated: 2024-08-05T02:53:09.598Z

An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via many backtick characters.

Published: 2020-06-19T14:10:50.000Z
Updated: 2024-08-05T02:53:09.440Z

An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration.

Published: 2020-06-19T14:06:36.000Z
Updated: 2024-08-05T02:53:09.392Z

An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side application crash) via a LaTeX message.

Published: 2020-06-19T14:05:45.000Z
Updated: 2024-08-05T02:53:09.406Z

An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel.

Published: 2020-06-19T13:31:36.000Z
Updated: 2024-08-05T02:53:09.195Z

An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage.

Published: 2020-06-19T13:29:06.000Z
Updated: 2024-08-05T02:53:09.395Z

An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a large Slack import.

Published: 2020-06-19T13:27:42.000Z
Updated: 2024-08-05T02:53:09.331Z

An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. An attacker can spoof a direct-message channel by changing the type of a channel.

Published: 2020-06-19T13:26:49.000Z
Updated: 2024-08-05T02:53:09.440Z

An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files.

Published: 2020-06-19T13:25:29.000Z
Updated: 2024-08-05T02:53:09.267Z

An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels.

Published: 2020-06-19T13:18:27.000Z
Updated: 2024-08-05T02:53:09.429Z

An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks.

Published: 2020-06-19T13:17:36.000Z
Updated: 2024-08-05T02:53:09.244Z

An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response.

Published: 2020-06-19T17:44:05.000Z
Updated: 2024-08-05T12:26:39.592Z

An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response.

Published: 2020-06-19T16:45:07.000Z
Updated: 2024-08-05T12:26:39.602Z

An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text.

Published: 2020-06-19T16:51:43.000Z
Updated: 2024-08-05T12:26:39.587Z

An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges.

Published: 2020-06-19T16:51:44.000Z
Updated: 2024-08-05T12:26:39.570Z

An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy.

Published: 2020-06-19T16:49:45.000Z
Updated: 2024-08-05T12:26:39.570Z

An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel.

Published: 2020-06-19T16:47:10.000Z
Updated: 2024-08-05T12:26:39.575Z

An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command.

Published: 2020-06-19T16:45:05.000Z
Updated: 2024-08-05T12:26:39.589Z

An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API.

Published: 2020-06-19T16:51:47.000Z
Updated: 2024-08-05T12:26:39.573Z

An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for group-message channel creation) via the Group message slash command.

Published: 2020-06-19T17:44:07.000Z
Updated: 2024-08-05T12:26:39.427Z

An issue was discovered in Mattermost Server before 5.1. Non-members of a channel could use the Channel PATCH API to modify that channel.

Published: 2020-06-19T16:49:55.000Z
Updated: 2024-08-05T12:26:39.573Z

An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command.

Published: 2020-06-19T16:49:54.000Z
Updated: 2024-08-05T12:26:39.596Z

An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user.

Published: 2020-06-19T16:45:02.000Z
Updated: 2024-08-05T12:26:39.550Z

An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could use multiple e-mail addresses to bypass a domain-based policy for signups.

Published: 2020-06-19T17:44:09.000Z
Updated: 2024-08-05T12:26:39.449Z

An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body.

Published: 2020-06-19T16:49:18.000Z
Updated: 2024-08-05T12:26:39.379Z

An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions.

Published: 2020-06-19T16:51:17.000Z
Updated: 2024-08-05T12:26:39.562Z

An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing.

Published: 2020-06-19T16:47:49.000Z
Updated: 2024-08-05T12:26:39.600Z

An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials.

Published: 2020-06-19T16:47:04.000Z
Updated: 2024-08-05T12:26:39.537Z

An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page.

Published: 2020-06-19T19:21:28.000Z
Updated: 2024-08-05T21:45:24.533Z

An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy.

Published: 2020-06-19T19:20:58.000Z
Updated: 2024-08-05T21:45:24.478Z

An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.

Published: 2020-06-19T19:20:39.000Z
Updated: 2024-08-05T21:37:44.450Z

An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname.

Published: 2020-06-19T19:19:57.000Z
Updated: 2024-08-05T21:37:44.309Z

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.

Published: 2020-06-19T19:18:37.000Z
Updated: 2024-08-05T21:37:44.434Z

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.

Published: 2020-06-19T19:19:12.000Z
Updated: 2024-08-05T21:37:44.319Z

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.

Published: 2020-06-19T19:16:03.000Z
Updated: 2024-08-05T21:37:44.314Z

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist.

Published: 2020-06-19T19:16:05.000Z
Updated: 2024-08-05T21:37:44.451Z

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page.

Published: 2020-06-19T19:16:09.000Z
Updated: 2024-08-05T21:37:44.346Z

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file.

Published: 2020-06-19T18:45:54.000Z
Updated: 2024-08-05T21:37:44.305Z

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.

Published: 2020-06-19T18:45:55.000Z
Updated: 2024-08-05T21:37:44.346Z

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links.

Published: 2020-06-19T18:45:56.000Z
Updated: 2024-08-05T21:37:44.297Z

An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.

Published: 2020-06-19T18:45:57.000Z
Updated: 2024-08-05T21:37:44.396Z

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address.

Published: 2020-06-19T19:16:08.000Z
Updated: 2024-08-05T21:37:44.432Z

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.

Published: 2020-06-19T19:19:38.000Z
Updated: 2024-08-05T21:37:44.314Z

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.

Published: 2020-06-19T19:18:16.000Z
Updated: 2024-08-05T21:37:44.352Z

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.

Published: 2020-06-19T19:17:03.000Z
Updated: 2024-08-05T21:37:44.319Z

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.

Published: 2020-06-19T18:45:31.000Z
Updated: 2024-08-05T21:37:44.355Z

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.

Published: 2020-06-19T18:44:09.000Z
Updated: 2024-08-05T21:37:44.304Z

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.

Published: 2020-06-19T18:43:20.000Z
Updated: 2024-08-05T21:37:44.288Z

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.

Published: 2020-06-19T18:09:26.000Z
Updated: 2024-08-05T21:37:44.316Z

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.

Published: 2020-06-19T18:43:18.000Z
Updated: 2024-08-05T21:37:44.301Z

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting.

Published: 2020-06-19T18:42:06.000Z
Updated: 2024-08-05T21:37:44.359Z

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.

Published: 2020-06-19T18:43:19.000Z
Updated: 2024-08-05T21:37:44.351Z

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.

Published: 2020-06-19T18:10:53.000Z
Updated: 2024-08-05T21:37:44.398Z

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.

Published: 2020-06-19T18:10:54.000Z
Updated: 2024-08-05T21:37:44.368Z

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.

Published: 2020-06-19T18:43:14.000Z
Updated: 2024-08-05T21:37:44.297Z

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.

Published: 2020-06-19T18:10:56.000Z
Updated: 2024-08-05T21:37:44.290Z

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.

Published: 2020-06-19T18:10:57.000Z
Updated: 2024-08-05T21:37:44.301Z

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.

Published: 2020-06-19T18:08:51.000Z
Updated: 2024-08-05T21:37:44.449Z

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link.

Published: 2020-06-19T18:08:50.000Z
Updated: 2024-08-05T21:37:44.282Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.

Published: 2020-06-19T18:08:53.000Z
Updated: 2024-08-05T21:37:44.382Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API.

Published: 2020-06-19T18:08:54.000Z
Updated: 2024-08-05T21:37:44.306Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts.

Published: 2020-06-19T18:10:58.000Z
Updated: 2024-08-05T21:37:44.299Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.

Published: 2020-06-19T18:10:59.000Z
Updated: 2024-08-05T21:37:44.311Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands.

Published: 2020-06-19T18:43:16.000Z
Updated: 2024-08-05T21:37:44.295Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf.

Published: 2020-06-19T18:10:29.000Z
Updated: 2024-08-05T21:37:44.292Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.

Published: 2020-06-19T18:08:48.000Z
Updated: 2024-08-05T21:37:44.307Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.

Published: 2020-06-19T18:08:47.000Z
Updated: 2024-08-05T21:37:44.337Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data.

Published: 2020-06-19T18:08:46.000Z
Updated: 2024-08-05T21:37:44.343Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a goto_location response to a slash command.

Published: 2020-06-19T18:08:44.000Z
Updated: 2024-08-05T21:37:44.347Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the title_link field of a Slack attachment.

Published: 2020-06-19T18:42:54.000Z
Updated: 2024-08-05T21:37:44.319Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment.

Published: 2020-06-19T18:08:42.000Z
Updated: 2024-08-05T21:37:44.451Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session.

Published: 2020-06-19T18:08:20.000Z
Updated: 2024-08-05T21:37:44.337Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.

Published: 2020-06-19T16:50:36.000Z
Updated: 2024-08-05T21:37:44.304Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file.

Published: 2020-06-19T16:50:02.000Z
Updated: 2024-08-05T21:37:44.312Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.

Published: 2020-06-19T16:47:13.000Z
Updated: 2024-08-05T21:37:44.306Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal.

Published: 2020-06-19T18:07:29.000Z
Updated: 2024-08-05T21:37:44.316Z

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformatted post.

Published: 2020-06-19T17:44:12.000Z
Updated: 2024-08-05T21:37:44.342Z

An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider.

Published: 2020-06-19T17:44:11.000Z
Updated: 2024-08-05T21:37:44.288Z

An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.

Published: 2020-06-19T16:51:40.000Z
Updated: 2024-08-05T21:37:44.296Z

An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case.

Published: 2020-06-19T16:47:11.000Z
Updated: 2024-08-05T21:37:44.354Z

An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.

Published: 2020-06-19T19:30:10.000Z
Updated: 2024-08-06T03:47:34.848Z