Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2023-2788 Deactivated user can retain access using oauth2 api — MattermostCWE-862 6.2 Medium2023-06-16
CVE-2023-2787 Collapsed Reply Threads APIs leak message contents from private channels — MattermostCWE-862 6.5 Medium2023-06-16
CVE-2023-2786 Channel commands execution doesn't properly verify permissions — MattermostCWE-862 4.3 Medium2023-06-16
CVE-2023-2784 Apps Framework allows install requests from regular members via an internal path — Mattermost App FrameworkCWE-862 4.2 Medium2023-06-16
CVE-2023-2783 App Framework does not checks for the secret provided in the incoming webhook request — Mattermost App FrameworkCWE-862 4.3 Medium2023-06-16
CVE-2023-2808 Lack of URL normalization allows rendering previews for disallowed domains — MattermostCWE-20 4.3 Medium2023-05-29
CVE-2023-2514 DB username/password revealed in application logs — MattermostCWE-200 6.7 Medium2023-05-12
CVE-2023-2515 Privilege escalation to system admin via personal access tokens — MattermostCWE-863 4.7 Medium2023-05-12
CVE-2023-2000 Unrestricted navigation due to unvalidated mattermost server redirection — MattermostCWE-601 5.4 Medium2023-05-02
CVE-2023-2281 Archiving a team broadcasts unsanitized data over WebSockets — MattermostCWE-200 3.1 Low2023-04-25
CVE-2023-2193 Oauth authorization codes do not expire when deauthorizing an oauth2 app — MattermostCWE-862 6.5 Medium2023-04-20
CVE-2023-1831 User password logged in audit logs — MattermostCWE-200 7.2 High2023-04-17
CVE-2023-1777 Information disclosure in linked message previews — MattermostCWE-200 6.5 Medium2023-03-31
CVE-2023-1776 Stored XSS via SVG attachment on Boards — MattermostCWE-79 7.3 High2023-03-31
CVE-2023-1775 Unsanitized events sent over Websocket to regular users in a High Availability environment — MattermostCWE-200 4.3 Medium2023-03-31
CVE-2023-1774 Unauthorized email invite to a private channel — MattermostCWE-862 4.2 Medium2023-03-31
CVE-2023-1562 Full name revealed via /plugins/focalboard/api/v2/users — MattermostCWE-200 3.5 Low2023-03-22
CVE-2023-1421 Reflected XSS in OAuth flow completion endpoints — MattermostCWE-79 3.5 Low2023-03-15
CVE-2023-27266 Disclosure of team owner email address when when accessing the teams API — MattermostCWE-200 2.7 Low2023-02-27
CVE-2023-27265 Disclosure of team owner email address when regenerating Invite ID — MattermostCWE-200 2.7 Low2023-02-27
CVE-2023-27264 IDOR: Updating a playbook via the Playbooks API — MattermostCWE-862 7.1 High2023-02-27
CVE-2023-27263 IDOR: Accessing playbook runs via the Playbooks Runs API — MattermostCWE-862 4.3 Medium2023-02-27
CVE-2022-4045 Authenticated user could send multiple requests containing a parameter which could fetch a large amount of data and can crash a Mattermost server — MattermostCWE-770 3.1 Low2022-11-23
CVE-2022-4044 Authenticated user could send multiple requests containing a large Auto Responder Message payload and can crash a Mattermost server — MattermostCWE-770 4.3 Medium2022-11-23
CVE-2022-4019 Authenticated user could send multiple requests containing a large payload to a Playbooks API and can crash a Mattermost server — Playbooks PluginCWE-770 4.3 Medium2022-11-23
CVE-2022-3257 Server-side Denial of Service while processing a specifically crafted GIF file — MattermostCWE-400 3.1 Low2022-09-23
CVE-2022-3147 Server-side Denial of Service while processing a specifically crafted JPEG file — MattermostCWE-400 3.1 Low2022-09-09
CVE-2022-2408 Guest accounts can list all public channels — MattermostCWE-200 4.3 Medium2022-07-14
CVE-2022-2406 Malicious imports can lead to Denial of Service — MattermostCWE-400 4.3 Medium2022-07-14
CVE-2022-2401 Team members could access sensitive information of other users via an API call — MattermostCWE-200 6.5 Medium2022-07-14

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.