Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 427

Browse all 427 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2023-1774 Unauthorized email invite to a private channel — MattermostCWE-862 4.2 Medium2023-03-31
CVE-2023-1562 Full name revealed via /plugins/focalboard/api/v2/users — MattermostCWE-200 3.5 Low2023-03-22
CVE-2023-1421 Reflected XSS in OAuth flow completion endpoints — MattermostCWE-79 3.5 Low2023-03-15
CVE-2023-27266 Disclosure of team owner email address when when accessing the teams API — MattermostCWE-200 2.7 Low2023-02-27
CVE-2023-27265 Disclosure of team owner email address when regenerating Invite ID — MattermostCWE-200 2.7 Low2023-02-27
CVE-2023-27264 IDOR: Updating a playbook via the Playbooks API — MattermostCWE-862 7.1 High2023-02-27
CVE-2023-27263 IDOR: Accessing playbook runs via the Playbooks Runs API — MattermostCWE-862 4.3 Medium2023-02-27
CVE-2022-4045 Authenticated user could send multiple requests containing a parameter which could fetch a large amount of data and can crash a Mattermost server — MattermostCWE-770 3.1 Low2022-11-23
CVE-2022-4044 Authenticated user could send multiple requests containing a large Auto Responder Message payload and can crash a Mattermost server — MattermostCWE-770 4.3 Medium2022-11-23
CVE-2022-4019 Authenticated user could send multiple requests containing a large payload to a Playbooks API and can crash a Mattermost server — Playbooks PluginCWE-770 4.3 Medium2022-11-23
CVE-2022-3257 Server-side Denial of Service while processing a specifically crafted GIF file — MattermostCWE-400 3.1 Low2022-09-23
CVE-2022-3147 Server-side Denial of Service while processing a specifically crafted JPEG file — MattermostCWE-400 3.1 Low2022-09-09
CVE-2022-2408 Guest accounts can list all public channels — MattermostCWE-200 4.3 Medium2022-07-14
CVE-2022-2406 Malicious imports can lead to Denial of Service — MattermostCWE-400 4.3 Medium2022-07-14
CVE-2022-2401 Team members could access sensitive information of other users via an API call — MattermostCWE-200 6.5 Medium2022-07-14
CVE-2022-2366 Incorrect defaults can cause attackers to bypass rate limitations — MattermostCWE-276 5.6 Medium2022-07-11
CVE-2022-1982 A crafted SVG attachment can crash a Mattermost server — MattermostCWE-400 4.3 Medium2022-06-02
CVE-2022-1548 Playbook members are allowed to escalate their membership privileges and perform actions restricted to playbook admins. — Mattermost PlaybooksCWE-264 3.7 Low2022-05-03
CVE-2022-1384 Authorized users are allowed to install old plugin versions from the Marketplace — MattermostCWE-477 4.7 Medium2022-04-19
CVE-2022-1385 Invitation Email is resent as a Reminder after invalidating pending email invites — MattermostCWE-664 3.7 Low2022-04-19
CVE-2022-1332 Restricted custom admin role can bypass the restrictions and view the server logs and server config.json file contents — MattermostCWE-200 4.3 Medium2022-04-13
CVE-2022-1333 A specifically drafted Playbook could trigger large amount of webhook requests leading to Denial of Service — Mattermost PlaybooksCWE-770 3.5 Low2022-04-13
CVE-2022-1337 OOM DoS in Mattermost image proxy — MattermostCWE-400 4.3 Medium2022-04-13
CVE-2022-1002 HTML Injection while inviting Guests — MattermostCWE-80 2.0 Low2022-03-18
CVE-2022-1003 Sysadmin can override existing configs & bypass restrictions like EnableUploads — MattermostCWE-268 3.3 Low2022-03-18
CVE-2022-0904 Stack overflow in document extractor in Mattermost — Mattermost 4.3 Medium2022-03-09
CVE-2022-0903 Stack overflow in SAML login in Mattermost — Mattermost 5.3 Medium2022-03-09
CVE-2022-0708 Team Creator's Email Address is disclosed to Team Members via one of the APIs — MattermostCWE-200 4.3 Medium2022-02-21
CVE-2021-37864 Users can view the contents of an archived channel when access is explicitly denied by the system admin — MattermostCWE-284 2.6 Low2022-01-18
CVE-2021-37867 Emails of all users are exposed via one of the Boards APIs — Mattermost BoardsCWE-200 4.3 Medium2022-01-18

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.