Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile

CVEs 382

CVE ID	Title	CVSS	Severity	Published
CVE-2025-27936	Webhook Secret Exposure via Timing attack in MSteams plugin — MattermostCWE-208	5.3	Medium	2025-04-16
CVE-2025-31363	Data exfiltration via AI plugin Jira tool — MattermostCWE-1426	3.0	Low	2025-04-16
CVE-2025-27571	Channel metadata visible in archived channels despite configuration setting — MattermostCWE-863	4.3	Medium	2025-04-16
CVE-2025-27538	MFA Enforcement Bypass Allows Unauthorized Removal of MFA for Other Users — MattermostCWE-306	2.2	Low	2025-04-16
CVE-2025-24839	Unauthorized AI bot activation via Wrangler plugin — MattermostCWE-863	3.1	Low	2025-04-16
CVE-2025-2475	Unauthorized Bot Login Using Credentials — MattermostCWE-303	5.4	Medium	2025-04-14
CVE-2025-2424	Leaked Metadata of Deleted Files via Bookmark Creation — MattermostCWE-863	3.1	Low	2025-04-14
CVE-2025-32093	Syatem admin profile modification by delegated granular administration role — MattermostCWE-863	4.7	Medium	2025-04-14
CVE-2025-30516	Unauthorized Notification Exposure in Mobile App Under Specific Conditions — MattermostCWE-613	2.0	Low	2025-04-14
CVE-2025-24866	Unauthorized Access to User Activity Logs API by delegated granular administration roles — MattermostCWE-863	2.7	Low	2025-04-10
CVE-2025-1558	Denial of Service Via Malicious GIF — MattermostCWE-1287	6.5	Medium	2025-03-24
CVE-2025-25068	Bypassing MFA Enforcement on Plugin Endpoints — MattermostCWE-306	7.5	High	2025-03-21
CVE-2025-24920	Unauthorized Bookmark Creation and Modification in Archived Channels — MattermostCWE-863	4.3	Medium	2025-03-21
CVE-2025-30179	MFA Enforcement Bypass in Search APIs — MattermostCWE-863	4.3	Medium	2025-03-21
CVE-2025-25274	Unauthorized Command Execution in Archived Channels — MattermostCWE-863	4.3	Medium	2025-03-21
CVE-2025-27933	Unauthorized Private-to-Public Channel Conversion — MattermostCWE-863	5.4	Medium	2025-03-21
CVE-2025-27715	Auto-Enrollment of Team Admins into Private Channels without explicit consent — MattermostCWE-863	3.3	Low	2025-03-21
CVE-2025-1472	Unauthorized View Access to Site Statistics and Team Statistics — MattermostCWE-863	4.3	Medium	2025-03-19
CVE-2025-1398	macOS TCC Bypass via Code Injection — MattermostCWE-426	3.3	Low	2025-03-17
CVE-2025-20051	Arbitrary file read via block duplication in Mattermost Boards — MattermostCWE-22	9.9	Critical	2025-02-24
CVE-2025-24490	SQL Injection in Mattermost Boards via board category ID reordering — MattermostCWE-89	9.6	Critical	2025-02-24
CVE-2025-25279	Arbitrary file read in Mattermost Boards via import & export board archive — MattermostCWE-22	9.9	Critical	2025-02-24
CVE-2025-1412	Session Persistence After User-to-Bot Conversion — MattermostCWE-384	3.1	Low	2025-02-24
CVE-2025-24526	Channel export permitted on archived channel when viewing archived channels is disabled — MattermostCWE-863	4.3	Medium	2025-02-24
CVE-2025-0503	Leaked User IDs and Metadata of Deleted DMs — MattermostCWE-754	3.1	Low	2025-02-14
CVE-2025-20630	Mobile crash via object that can't be cast to String in Attachment Field — MattermostCWE-1287	6.5	Medium	2025-01-16
CVE-2025-20621	Webapp crash via object that can't be cast to String in Attachment Field — MattermostCWE-1287	6.5	Medium	2025-01-16
CVE-2025-20072	Mobile crash via improper validation of proto style in attachments — MattermostCWE-704	6.5	Medium	2025-01-16
CVE-2025-0476	Mobile crash via file with specially crafted filename — MattermostCWE-1287	4.3	Medium	2025-01-15
CVE-2025-20088	Insufficient Input Validation on Post Props — MattermostCWE-1287	6.5	Medium	2025-01-15

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Mattermost — Vulnerabilities & Security Advisories 382