Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 427

Browse all 427 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Found 397 results / 427Clear Filters
Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2026-8683 Overly long URLs crash the Mattermost Desktop App — MattermostCWE-770 6.5 Medium2026-06-15
CVE-2026-6517 Mattermost Desktop App fails to restrict the allow list of domains which NTLM credentials are passed — MattermostCWE-522 6.3 Medium2026-06-15
CVE-2026-6961 CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync — MattermostCWE-22 7.6 High2026-06-12
CVE-2026-7387 Mattermost group syncable endpoints allow privilege escalation via scheme_admin — MattermostCWE-863 8.8 High2026-06-12
CVE-2026-6046 Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server — MattermostCWE-200 5.3 Medium2026-06-12
CVE-2026-6689 *Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings* — MattermostCWE-862 4.3 Medium2026-06-12
CVE-2026-7184 Mattermost Remote Cluster PATCH API Leaks Authentication Tokens — MattermostCWE-201 6.5 Medium2026-06-12
CVE-2026-6739 Mattermost: Delegated admins could patch protected default system roles — MattermostCWE-863 6.7 Medium2026-06-12
CVE-2026-3433 Mattermost fails to scope role_updated websocket events to authorized team and channel members — MattermostCWE-200 4.3 Medium2026-06-12
CVE-2026-6957 Path traversal in Mattermost Legal Hold plugin via unsanitized file name from federated peer allows arbitrary file write. — MattermostCWE-22 8.0 High2026-05-27
CVE-2026-4915 Server panic via outgoing webhook responses — MattermostCWE-754 6.5 Medium2026-05-25
CVE-2026-28735 GitHub OAuth Scope Validation — MattermostCWE-863 5.4 Medium2026-05-22
CVE-2026-4635 Persistent notification timing attack causing server denial of service — MattermostCWE-362 6.5 Medium2026-05-22
CVE-2026-3473 Improper file ownership validation in the Boards API allows unauthorised file access — MattermostCWE-639 5.9 Medium2026-05-22
CVE-2026-4646 Insufficient input validation in GitHub plugin API causes denial of service — MattermostCWE-1287 4.3 Medium2026-05-22
CVE-2026-3636 Sanitize team member data returned by API — MattermostCWE-200 4.3 Medium2026-05-22
CVE-2026-5740 Unauthenticated WebSocket binary frame causes denial of service in Mattermost Server — MattermostCWE-789 7.5 High2026-05-22
CVE-2026-5308 Missing request body size limits on Zoom plugin HTTP endpoints — MattermostCWE-400 4.9 Medium2026-05-22
CVE-2026-5755 Denial of service via crafted TIFF file upload — MattermostCWE-400 6.5 Medium2026-05-22
CVE-2026-22880 Mobile SSO authentication flow allows credential theft via malicious server — MattermostCWE-352 6.1 Medium2026-05-21
CVE-2026-4858 Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token. — MattermostCWE-22 8.0 High2026-05-21
CVE-2026-4055 Insufficient permission validation on cross-team playbook run creation — MattermostCWE-863 4.3 Medium2026-05-21
CVE-2026-3471 Opening a window with {{javascript:alert()}} as URL causes crash in the Mattermost Desktop App — MattermostCWE-939 6.5 Medium2026-05-18
CVE-2026-4643 Calling window.close() from server-side content causes crash in the Mattermost Desktop App — MattermostCWE-754 3.5 Low2026-05-18
CVE-2026-6333 SSRF via Host Header Spoofing in Custom Slash Commands — MattermostCWE-918 3.5 Low2026-05-18
CVE-2026-6345 Prevent password disclosure and force reset during Slack import — MattermostCWE-522 6.5 Medium2026-05-18
CVE-2026-6346 Sensitive credentials exposed in plaintext in Mattermost support packets — MattermostCWE-200 8.7 High2026-05-18
CVE-2026-28732 Slash command trigger-word update allowed command hijacking — MattermostCWE-863 4.3 Medium2026-05-18
CVE-2026-6343 Mattermost Playbooks Plugin fails to enforce view permissions in list endpoints, allowing unauthorized access to public playbooks — MattermostCWE-863 4.3 Medium2026-05-18
CVE-2026-6347 Mattermost Calls plugin exposes TURN server credentials in plaintext in support packets — MattermostCWE-200 7.6 High2026-05-18

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.