Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2025-4981 Path Traversal Leading to RCE by Any Authenticated Mattermost User — MattermostCWE-427 9.9 Critical2025-06-20
CVE-2025-4128 Mattermost Guest User Information Disclosure Vulnerability — MattermostCWE-863 3.1 Low2025-06-11
CVE-2025-4573 LDAP Injection in Mattermost Enterprise Edition When Using Active Directory — MattermostCWE-90 4.1 Medium2025-06-11
CVE-2025-3611 Improper Access Control in Mattermost allows System Managers to view team details despite role restrictions — MattermostCWE-863 3.1 Low2025-05-30
CVE-2025-3230 Bypass of System Admin User Deactivation Controls for Personal Access Tokens in Mattermost Server — MattermostCWE-303 5.4 Medium2025-05-30
CVE-2025-2571 Google OAuth Authentication Bypass for Converted Bot Accounts — MattermostCWE-303 4.2 Medium2025-05-30
CVE-2025-1792 Improper Access Control in Mattermost Channel Member API — MattermostCWE-863 3.1 Low2025-05-30
CVE-2025-3913 Team Privacy Settings Authorization Bypass in Mattermost Server — MattermostCWE-863 5.3 Medium2025-05-29
CVE-2025-2570 System Admin Cannot Access Environment settings in System Console While System Manager Can — MattermostCWE-863 2.7 Low2025-05-15
CVE-2025-2527 Improper access control to group information — MattermostCWE-863 4.3 Medium2025-05-15
CVE-2025-3446 Members Without Guest Invite Permissions Can Add Guests to Teams — MattermostCWE-863 4.3 Medium2025-05-15
CVE-2025-31947 Repeated LDAP login failures can lock an LDAP account — MattermostCWE-645 5.8 Medium2025-05-15
CVE-2025-41423 Unauthorized Playbooks Post Deletion in Mattermost Playbooks Plugin — MattermostCWE-863 3.1 Low2025-04-24
CVE-2025-35965 DoS in Mattermost Playbooks via Excessive Task Actions — MattermostCWE-770 6.5 Medium2025-04-24
CVE-2025-41395 Webapp DoS via malicious retrospective post in Playbooks — MattermostCWE-1287 6.5 Medium2025-04-24
CVE-2025-2564 Unauthorized View Access to Archived Channel Member Info — MattermostCWE-863 4.3 Medium2025-04-16
CVE-2025-27936 Webhook Secret Exposure via Timing attack in MSteams plugin — MattermostCWE-208 5.3 Medium2025-04-16
CVE-2025-31363 Data exfiltration via AI plugin Jira tool — MattermostCWE-1426 3.0 Low2025-04-16
CVE-2025-27571 Channel metadata visible in archived channels despite configuration setting — MattermostCWE-863 4.3 Medium2025-04-16
CVE-2025-27538 MFA Enforcement Bypass Allows Unauthorized Removal of MFA for Other Users — MattermostCWE-306 2.2 Low2025-04-16
CVE-2025-24839 Unauthorized AI bot activation via Wrangler plugin — MattermostCWE-863 3.1 Low2025-04-16
CVE-2025-2475 Unauthorized Bot Login Using Credentials — MattermostCWE-303 5.4 Medium2025-04-14
CVE-2025-2424 Leaked Metadata of Deleted Files via Bookmark Creation — MattermostCWE-863 3.1 Low2025-04-14
CVE-2025-32093 Syatem admin profile modification by delegated granular administration role — MattermostCWE-863 4.7 Medium2025-04-14
CVE-2025-30516 Unauthorized Notification Exposure in Mobile App Under Specific Conditions — MattermostCWE-613 2.0 Low2025-04-14
CVE-2025-24866 Unauthorized Access to User Activity Logs API by delegated granular administration roles — MattermostCWE-863 2.7 Low2025-04-10
CVE-2025-1558 Denial of Service Via Malicious GIF — MattermostCWE-1287 6.5 Medium2025-03-24
CVE-2025-25068 Bypassing MFA Enforcement on Plugin Endpoints — MattermostCWE-306 7.5 High2025-03-21
CVE-2025-24920 Unauthorized Bookmark Creation and Modification in Archived Channels — MattermostCWE-863 4.3 Medium2025-03-21
CVE-2025-30179 MFA Enforcement Bypass in Search APIs — MattermostCWE-863 4.3 Medium2025-03-21

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.