github.com/mattermost/mattermost-server
Go253 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/mattermost/mattermost-serverpage 5 of 6
- CVE-2025-49222MEDIUMCVSS 6.8EG 6.8✓ Fixed in 10.10.1+incompatible2025-08-21
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types…
- CVE-2025-4981CRITICALCVSS 9.9EG 9.9✓ Fixed in 10.8.1+incompatible2025-06-20
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the…
- CVE-2025-49810LOWCVSS 3.5EG 3.5✓ Fixed in 10.5.9+incompatible2025-08-21
Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts
- CVE-2025-53971LOWCVSS 3.8EG 3.8✓ Fixed in 10.5.9+incompatible2025-08-21
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/…
- CVE-2025-54499LOWCVSS 3.1EG 3.1✓ Fixed in 10.11.3+incompatible2025-10-16
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time …
- CVE-2025-55070MEDIUMCVSS 6.5EG 6.5✓ Fixed in 11.1.0+incompatible2025-11-14
Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events
- CVE-2025-55073MEDIUMCVSS 5.4EG 5.4✓ Fixed in 10.12.1+incompatible2025-11-14
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted…
- CVE-2025-55074LOWCVSS 3.0EG 3.0✓ Fixed in 10.11.4+incompatible2025-11-18
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects
- CVE-2025-58073HIGHCVSS 8.1EG 8.1✓ Fixed in 10.11.2+incompatible2025-10-16
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server …
- CVE-2025-58075HIGHCVSS 8.1EG 8.1✓ Fixed in 10.11.2+incompatible2025-10-16
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server …
- CVE-2025-6226MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.8.2+incompatible2025-07-18
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels the…
- CVE-2025-6227LOWCVSS 3.1EG 2.2✓ Fixed in 10.5.8+incompatible2025-07-18
Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally cre…
- CVE-2025-6233MEDIUMCVSS 4.9EG 6.8✓ Fixed in 10.8.2+incompatible2025-07-18
Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path…
- CVE-2025-62690LOWCVSS 3.1EG 3.12025-12-17
Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab.
- CVE-2025-64641MEDIUMCVSS 4.1EG 4.1✓ Fixed in 11.1.1+incompatible2025-12-24
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exf…
- CVE-2025-6465MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.10.1+incompatible2025-08-21
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file stre…
- CVE-2025-8023MEDIUMCVSS 4.9EG 6.8✓ Fixed in 10.9.3+incompatible2025-08-21
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via ma…
- CVE-2025-8402MEDIUMCVSS 4.9EG 4.9✓ Fixed in 10.10.1+incompatible2025-08-21
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.
- CVE-2025-9072MEDIUMCVSS 5.4EG 7.6✓ Fixed in 10.10.2+incompatible2025-09-15
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the …
- CVE-2025-9076MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.10.2+incompatible2025-09-15
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user ob…
- CVE-2025-9078MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.10.2+incompatible2025-09-15
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison…
- CVE-2025-9079HIGHCVSS 7.2EG 8.0✓ Fixed in 10.10.2+incompatible2025-09-19
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin up…
- CVE-2025-9081MEDIUMCVSS 6.5EG 3.1✓ Fixed in 10.5.9+incompatible2025-09-19
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
- CVE-2025-9084MEDIUMCVSS 6.1EG 3.1✓ Fixed in 10.5.10+incompatible2025-09-15
Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs
- CVE-2026-0999MEDIUMCVSS 5.4EG 5.42026-02-16
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Matter…
- CVE-2026-20796LOWCVSS 3.1EG 3.1✓ Fixed in 10.11.10+incompatible2026-02-13
Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams …
- CVE-2026-22892MEDIUMCVSS 4.3EG 4.3✓ Fixed in 11.2.2+incompatible2026-02-13
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read pos…
- CVE-2026-2325MEDIUMCVSS 4.3EG 4.3✓ Fixed in 11.4.42026-05-18
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of serv…
- CVE-2026-27769LOWCVSS 2.7EG 2.7✓ Fixed in 8.0.0-20260316060126-bc1a2b34b1f92026-04-15
Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed…
- CVE-2026-28732MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.3.2-0.20260306123948-f5fe8ded6b632026-05-18
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to…
- CVE-2026-28735MEDIUMCVSS 5.4EG 5.4✓ Fixed in 11.6.12026-05-26
vulnerable: 11.6.0
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14... Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the c…
- CVE-2026-28759MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.3.2-0.20260216150504-8738f8c4b3d42026-05-18
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a …
- CVE-2026-3473HIGHCVSS 7.1EG 7.1✓ Fixed in 11.6.12026-05-26
vulnerable: 11.6.0
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14... Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access cont…
- CVE-2026-3495LOWCVSS 3.8EG 3.8✓ Fixed in 5.3.2-0.20260310115442-5a1ea95044dc2026-05-18
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some…
- CVE-2026-3590MEDIUMCVSS 6.5EG 6.5✓ Fixed in 11.3.32026-04-15
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish…
- CVE-2026-3637MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.3.2-0.20260316171743-090408f09f532026-05-18
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their…
- CVE-2026-4053LOWCVSS 3.1EG 3.1✓ Fixed in 0.0.0-20260414103857-b21ef302025e2026-05-15
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has …
- CVE-2026-4054MEDIUMCVSS 4.3EG 4.3✓ Fixed in 11.4.42026-05-15
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled or…
- CVE-2026-4273LOWCVSS 3.7EG 3.7✓ Fixed in 5.3.2-0.20260313190740-742e0be950742026-05-18
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rota…
- CVE-2026-4635MEDIUMCVSS 5.3EG 5.3✓ Fixed in 11.6.12026-05-26
vulnerable: 11.6.0
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14... Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing per…
- CVE-2026-4646MEDIUMCVSS 4.3EG 4.3✓ Fixed in 11.6.12026-05-26
vulnerable: 11.6.0
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14... Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API req…
- CVE-2026-4858HIGHCVSS 8.0EG 8.0✓ Fixed in 11.6.12026-05-21
vulnerable: 11.6.0
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermo…
- CVE-2026-4915MEDIUMCVSS 6.5EG 6.5✓ Fixed in 11.6.12026-05-25
vulnerable: 11.6.0
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of …
- CVE-2026-5163MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.3.2-0.20260401090745-f4d1abe7e8f52026-05-18
Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not h…
- CVE-2026-5740HIGHCVSS 7.5EG 7.5✓ Fixed in 11.6.12026-05-26
vulnerable: 11.6.0
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14... Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSo…
- CVE-2026-5755MEDIUMCVSS 6.5EG 6.5✓ Fixed in 11.6.12026-05-26
vulnerable: 11.6.0
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11... Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF…
- CVE-2026-6333LOWCVSS 3.5EG 3.5✓ Fixed in 5.3.2-0.20260325160634-e738016c59202026-05-18
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-…
- CVE-2026-6334LOWCVSS 3.1EG 3.1✓ Fixed in 5.3.2-0.20260318173148-e9ae890a013b2026-05-18
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a diff…
- CVE-2026-6339MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.3.2-0.20260327001745-7a339a6438f52026-05-18
Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without reci…
- CVE-2026-6340MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.3.2-0.20260325191733-fb11968f87982026-05-18
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via upload…
Check whether github.com/mattermost/mattermost-server is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/mattermost/mattermost-server CVEs against the assets you own.
Start Free Scan →