Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2024-39839 Remote username set to an arbitrary string by remote user — MattermostCWE-284 4.3 Medium2024-08-01
CVE-2024-39837 Malicious remote can create arbitrary channels — MattermostCWE-284 3.8 Low2024-08-01
CVE-2024-39832 Permanently local data deletion by malicious remote — MattermostCWE-754 6.8 Medium2024-08-01
CVE-2024-39777 Malicious remote can invite itself to an arbitrary local channel — MattermostCWE-284 8.7 High2024-08-01
CVE-2024-39274 Malicious remote can add users to arbitrary teams and channels — MattermostCWE-284 8.7 High2024-08-01
CVE-2024-36492 Existing local user overwritten by malicious remote — MattermostCWE-284 7.4 High2024-08-01
CVE-2024-29977 Malicious remote can create arbitrary reactions on arbitrary posts — MattermostCWE-284 2.7 Low2024-08-01
CVE-2024-39767 Spoofed push notifications from malicious server — MattermostCWE-287 4.2 Medium2024-07-15
CVE-2024-32945 LaTeX post content manipulation via renderer state leak across contexts — MattermostCWE-909 2.6 Low2024-07-15
CVE-2024-6428 Limited DoS due to permitting creating users with user-defined IDs — MattermostCWE-284 5.3 Medium2024-07-03
CVE-2024-39353 RemoteClusterFrame payloads are audit logged in full — MattermostCWE-200 2.7 Low2024-07-03
CVE-2024-39361 Creating posts with user-defined IDs permitted in CreatePost API — MattermostCWE-284 3.1 Low2024-07-03
CVE-2024-39830 Timing attack during remote cluster token comparison when shared channels are enabled — MattermostCWE-287 8.1 High2024-07-03
CVE-2024-39807 Channel IDs of archived/restored channels leaked via webhook events — MattermostCWE-200 3.1 Low2024-07-03
CVE-2024-36257 Lack of permission check when updating the profile picture of a remote user (shared channels enabled) — MattermostCWE-284 2.7 Low2024-07-03
CVE-2024-37182 Lack of permissions prompting when opening external URLs — MattermostCWE-693 4.7 Medium2024-06-14
CVE-2024-36287 Bypass of TCC restrictions on macOS — MattermostCWE-693 3.8 Low2024-06-14
CVE-2024-29215 Slash commands run in channel without channel membership via playbook task commands — MattermostCWE-284 4.3 Medium2024-05-26
CVE-2024-36255 Post actions can run playbook checklist task commands — MattermostCWE-352 5.7 Medium2024-05-26
CVE-2024-36241 /playbook add slash command allows viewing arbitrary post contents — MattermostCWE-284 3.1 Low2024-05-26
CVE-2024-31859 Member promoted to channel admin via playbooks run linking to channel — MattermostCWE-284 4.3 Medium2024-05-26
CVE-2024-5270 SAML to email switch possible when email signin is disabled — MattermostCWE-284 4.3 Medium2024-05-26
CVE-2024-5272 Run Details leak to guest via webhook event "custom_playbooks_playbook_run_updated" — MattermostCWE-284 4.3 Medium2024-05-26
CVE-2024-32045 Playbook run link to private channel grants channel access — MattermostCWE-284 5.9 Medium2024-05-26
CVE-2024-34152 Playbook Run Metadata leak to Guest — MattermostCWE-284 4.3 Medium2024-05-26
CVE-2024-34029 AD/LDAP Group Members Leak — MattermostCWE-200 4.3 Medium2024-05-26
CVE-2024-4198 Mattermost 安全漏洞 — MattermostCWE-284 2.7 Low2024-04-26
CVE-2024-4195 Mattermost 安全漏洞 — MattermostCWE-284 2.7 Low2024-04-26
CVE-2024-4183 Mattermost 安全漏洞 — MattermostCWE-400 4.3 Medium2024-04-26
CVE-2024-4182 Mattermost 安全漏洞 — MattermostCWE-754 4.3 Medium2024-04-26

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.