Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 408

Browse all 408 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2026-22880 Mobile SSO authentication flow allows credential theft via malicious server — MattermostCWE-352 6.1 Medium2026-05-21
CVE-2026-4858 Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token. — MattermostCWE-22 8.0 High2026-05-21
CVE-2026-4055 Insufficient permission validation on cross-team playbook run creation — MattermostCWE-863 4.3 Medium2026-05-21
CVE-2026-3471 Opening a window with {{javascript:alert()}} as URL causes crash in the Mattermost Desktop App — MattermostCWE-939 6.5 Medium2026-05-18
CVE-2026-4643 Calling window.close() from server-side content causes crash in the Mattermost Desktop App — MattermostCWE-754 3.5 Low2026-05-18
CVE-2026-6333 SSRF via Host Header Spoofing in Custom Slash Commands — MattermostCWE-918 3.5 Low2026-05-18
CVE-2026-6345 Prevent password disclosure and force reset during Slack import — MattermostCWE-522 6.5 Medium2026-05-18
CVE-2026-6346 Sensitive credentials exposed in plaintext in Mattermost support packets — MattermostCWE-200 8.7 High2026-05-18
CVE-2026-28732 Slash command trigger-word update allowed command hijacking — MattermostCWE-863 4.3 Medium2026-05-18
CVE-2026-6343 Mattermost Playbooks Plugin fails to enforce view permissions in list endpoints, allowing unauthorized access to public playbooks — MattermostCWE-863 4.3 Medium2026-05-18
CVE-2026-6347 Mattermost Calls plugin exposes TURN server credentials in plaintext in support packets — MattermostCWE-200 7.6 High2026-05-18
CVE-2026-5163 Missing authorization check in AI message rewrite endpoint allows access to private thread content — MattermostCWE-862 6.5 Medium2026-05-18
CVE-2026-3117 Instance and webhook GitLab plugin commands were able to be run by non-admin users — MattermostCWE-862 6.5 Medium2026-05-18
CVE-2026-4286 Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of member access via playbook update — MattermostCWE-863 3.1 Low2026-05-18
CVE-2026-6339 Missing request origin validation on burn-on-read reveal endpoint — MattermostCWE-346 4.3 Medium2026-05-18
CVE-2026-6340 Memory Exhaustion via Malicious 7zip File Upload — MattermostCWE-789 4.3 Medium2026-05-18
CVE-2026-6341 Incomplete group locking implementation — MattermostCWE-863 4.3 Medium2026-05-18
CVE-2026-6342 Group prefix matching bypass for subscriptions — MattermostCWE-863 4.3 Medium2026-05-18
CVE-2026-3495 Unescaped variables during error page composition — MattermostCWE-79 3.8 Low2026-05-18
CVE-2026-4273 Insufficient token rotation validation in remote cluster invite confirmation — MattermostCWE-863 3.7 Low2026-05-18
CVE-2026-3637 Mattermost fails to enforce create_post permission when editing posts — MattermostCWE-862 4.3 Medium2026-05-18
CVE-2026-2325 Improper Input Validation in MS Teams Meetings API Handler — MattermostCWE-770 4.3 Medium2026-05-18
CVE-2026-28759 Insufficient authorization in shared channel membership sync allows remote cluster to remove users from arbitrary channels — MattermostCWE-863 4.3 Medium2026-05-18
CVE-2026-6334 OAuth authorization code client binding not enforced during token redemption in Mattermost — MattermostCWE-305 3.1 Low2026-05-18
CVE-2026-4053 post edit time limit is not enforced on some post update operations — MattermostCWE-672 3.1 Low2026-05-15
CVE-2026-4054 SVG content served through Mattermost image proxy despite Content-Type restrictions causes client-side denial of service — MattermostCWE-754 4.3 Medium2026-05-15
CVE-2026-3590 Race Condition in Guest Magic Link Authentication Allows Token Reuse — MattermostCWE-367 6.5 Medium2026-04-15
CVE-2026-28741 CSRF Protection Bypass Allows Updating a User's Authentication Method — MattermostCWE-352 6.8 Medium2026-04-15
CVE-2026-27769 Connected Workspaces: Malicious remote server can manipulate arbitrary user's status — MattermostCWE-862 2.7 Low2026-04-15
CVE-2026-24661 Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint — MattermostCWE-770 3.7 Low2026-04-09

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.