github.com/mattermost/mattermost-server
Go253 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/mattermost/mattermost-serverpage 4 of 6
- CVE-2025-1792LOWCVSS 3.1EG 3.1✓ Fixed in 10.7.1+incompatible2025-05-30
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of p…
- CVE-2025-20033MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.2.1+incompatible2025-01-09
Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the…
- CVE-2025-20051CRITICALCVSS 9.9EG 9.9✓ Fixed in 10.4.2+incompatible2025-02-24
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating …
- CVE-2025-20086MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.2.1+incompatible2025-01-15
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
- CVE-2025-20088MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.2.1+incompatible2025-01-15
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
- CVE-2025-20621MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.2.1+incompatible2025-01-16
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to cr…
- CVE-2025-21088MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.2.1+incompatible2025-01-15
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend…
- CVE-2025-22445LOWCVSS 3.5EG 3.5✓ Fixed in 10.3.0+incompatible2025-01-09
Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.
- CVE-2025-22449LOWCVSS 3.8EG 3.82025-01-09
Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.
- CVE-2025-2424LOWCVSS 3.1EG 3.1✓ Fixed in 10.5.2+incompatible2025-04-14
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.
- CVE-2025-24526MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.4.2+incompatible2025-02-24
Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a …
- CVE-2025-2475MEDIUMCVSS 5.4EG 5.4✓ Fixed in 10.5.2+incompatible2025-04-14
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials.
- CVE-2025-24839LOWCVSS 3.1EG 3.1✓ Fixed in 10.5.2+incompatible2025-04-16
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai …
- CVE-2025-24866LOWCVSS 2.7EG 2.7✓ Fixed in 9.11.9+incompatible2025-04-10
Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Lo…
- CVE-2025-24920MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.5.1+incompatible2025-03-21
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived chan…
- CVE-2025-25068HIGHCVSS 7.5EG 7.5✓ Fixed in 10.5.1+incompatible2025-03-21
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.
- CVE-2025-2527MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.5.3+incompatible2025-05-15
Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request.
- CVE-2025-25274MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.5.1+incompatible2025-03-21
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
- CVE-2025-25279CRITICALCVSS 9.9EG 9.9✓ Fixed in 10.4.2+incompatible2025-02-24
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and …
- CVE-2025-2564MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.5.2+incompatible2025-04-16
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member inform…
- CVE-2025-2570LOWCVSS 2.7EG 2.7✓ Fixed in 10.5.3+incompatible2025-05-15
Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmi…
- CVE-2025-2571MEDIUMCVSS 4.2EG 4.2✓ Fixed in 10.7.1+incompatible2025-05-30
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot account…
- CVE-2025-27538LOWCVSS 2.2EG 2.2✓ Fixed in 10.5.2+incompatible2025-04-16
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or…
- CVE-2025-27571MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.5.2+incompatible2025-04-16
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated us…
- CVE-2025-27715LOWCVSS 3.3EG 3.3✓ Fixed in 9.11.9+incompatible2025-03-21
Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.
- CVE-2025-27933MEDIUMCVSS 5.4EG 5.4✓ Fixed in 10.4.3+incompatible2025-03-21
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones …
- CVE-2025-27936MEDIUMCVSS 5.3EG 5.3✓ Fixed in 10.5.2+incompatible2025-04-16
Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve th…
- CVE-2025-30179MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.5.1+incompatible2025-03-21
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.
- CVE-2025-31363LOWCVSS 3.0EG 3.0✓ Fixed in 10.5.1+incompatible2025-04-16
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the vi…
- CVE-2025-31947MEDIUMCVSS 5.8EG 5.8✓ Fixed in 10.6.2+incompatible2025-05-15
Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures…
- CVE-2025-32093MEDIUMCVSS 4.7EG 4.7✓ Fixed in 10.5.2+incompatible2025-04-14
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" per…
- CVE-2025-3227MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.8.1+incompatible2025-06-20
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage…
- CVE-2025-3228MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.8.1+incompatible2025-06-20
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook ru…
- CVE-2025-3230MEDIUMCVSS 5.4EG 5.4✓ Fixed in 10.7.1+incompatible2025-05-30
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting…
- CVE-2025-3446MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.6.2+incompatible2025-05-15
Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest us…
- CVE-2025-35965MEDIUMCVSS 6.5EG 6.52025-04-24
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items contain…
- CVE-2025-3611LOWCVSS 3.1EG 3.1✓ Fixed in 10.7.1+incompatible2025-05-30
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they…
- CVE-2025-36530MEDIUMCVSS 6.8EG 6.8✓ Fixed in 10.9.2+incompatible2025-08-21
Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via…
- CVE-2025-3913MEDIUMCVSS 5.3EG 5.3✓ Fixed in 10.7.1+incompatible2025-05-29
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to acc…
- CVE-2025-4128LOWCVSS 3.1EG 3.1✓ Fixed in 10.5.5+incompatible2025-06-11
Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API c…
- CVE-2025-41395MEDIUMCVSS 6.5EG 6.52025-04-24
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted p…
- CVE-2025-41410MEDIUMCVSS 5.4EG 5.4✓ Fixed in 10.11.3+incompatible2025-10-16
Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious S…
- CVE-2025-41423LOWCVSS 3.1EG 3.12025-04-24
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts co…
- CVE-2025-41436LOWCVSS 3.1EG 3.1✓ Fixed in 11.0.0-alpha.1+incompatible2025-11-14
Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
- CVE-2025-41443MEDIUMCVSS 4.3EG 4.32025-10-16
Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/t…
- CVE-2025-4573MEDIUMCVSS 4.1EG 4.1✓ Fixed in 10.7.2+incompatible2025-06-11
Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups perm…
- CVE-2025-46702MEDIUMCVSS 5.4EG 5.4✓ Fixed in 10.8.1+incompatible2025-06-30
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticat…
- CVE-2025-47700LOWCVSS 3.5EG 3.5✓ Fixed in 10.5.10+incompatible2025-08-21
Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions
- CVE-2025-47870MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.9.3+incompatible2025-08-21
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges…
- CVE-2025-47871MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.8.1+incompatible2025-06-30
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook…
Check whether github.com/mattermost/mattermost-server is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/mattermost/mattermost-server CVEs against the assets you own.
Start Free Scan →