Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Found 352 results / 382Clear Filters
Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2026-3590 Race Condition in Guest Magic Link Authentication Allows Token Reuse — MattermostCWE-367 6.5 Medium2026-04-15
CVE-2026-28741 CSRF Protection Bypass Allows Updating a User's Authentication Method — MattermostCWE-352 6.8 Medium2026-04-15
CVE-2026-27769 Connected Workspaces: Malicious remote server can manipulate arbitrary user's status — MattermostCWE-862 2.7 Low2026-04-15
CVE-2026-24661 Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint — MattermostCWE-770 3.7 Low2026-04-09
CVE-2026-21388 Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint — MattermostCWE-770 3.7 Low2026-04-09
CVE-2026-3524 Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check — MattermostCWE-862 8.3 High2026-04-06
CVE-2026-3112 Arbitrary File Read via Advanced Logging Support Packet — MattermostCWE-22 6.8 Medium2026-03-26
CVE-2026-3109 Missing timestamp validation in Zoom webhook handler — MattermostCWE-754 2.2 Low2026-03-26
CVE-2026-3115 Guest users can view group member IDs without respecting view restrictions — MattermostCWE-863 4.3 Medium2026-03-26
CVE-2026-3114 Zip Bomb Denial of Service via Unrestricted Archive Decompression — MattermostCWE-409 6.5 Medium2026-03-26
CVE-2026-3116 Improper Input Validation in Zoom Plugin Webhook Handler — MattermostCWE-400 4.9 Medium2026-03-26
CVE-2026-3113 mmctl export download command doesn’t restrict permissions to created file to file owner — MattermostCWE-732 5.0 Medium2026-03-26
CVE-2026-3108 Terminal Escape Injection in mmctl Report Posts Command — MattermostCWE-150 8.0 High2026-03-26
CVE-2026-4274 Insufficient authorization in shared channel membership sync grants team-level access instead of channel-level access — MattermostCWE-863 5.4 Medium2026-03-26
CVE-2026-27659 CSRF vulnerability in UpdateAccessControlPolicyActiveStatus endpoint — MattermostCWE-352 4.6 Medium2026-03-25
CVE-2026-20719 DoS via URL Previews Rendering Malicious SVGs — MattermostCWE-754 4.3 Medium2026-03-25
CVE-2026-27656 Account Takeover via Substring Matching in OpenID Connect Authentication — MattermostCWE-303 5.7 Medium2026-03-25
CVE-2026-26233 Denial of Service via HTTP/2 single packet attack on login endpoint — MattermostCWE-400 4.3 Medium2026-03-25
CVE-2026-1629 Permalink Preview Information Disclosure After Permission Revocation — MattermostCWE-672 4.3 Medium2026-03-16
CVE-2026-26230 Team Admin Privilege Escalation to Demote Members to Guest — MattermostCWE-863 3.8 Low2026-03-16
CVE-2026-2454 DoS in Calls plugin via malformed msgpack in websocket request. — MattermostCWE-1287 5.8 Medium2026-03-16
CVE-2026-26304 Permission Bypass in Playbook Run Creation — MattermostCWE-863 4.3 Medium2026-03-16
CVE-2026-24692 Guest users can bypass read permissions via search API — MattermostCWE-863 4.3 Medium2026-03-16
CVE-2026-22545 Password Change Bypass via Auth Switch Endpoint — MattermostCWE-863 3.1 Low2026-03-16
CVE-2026-2455 SSRF bypass via IPv4-mapped IPv6 literals — MattermostCWE-918 4.3 Medium2026-03-16
CVE-2026-21386 Private channel enumeration via /mute slash command — MattermostCWE-203 4.3 Medium2026-03-16
CVE-2026-25780 Memory Exhaustion via Malformed DOC File Upload — MattermostCWE-789 4.3 Medium2026-03-16
CVE-2026-4265 Guest user can upload files without permission across teams — MattermostCWE-863 4.3 Medium2026-03-16
CVE-2026-25783 Denial of service via malformed User-Agent header in getBrowserVersion — MattermostCWE-1287 4.3 Medium2026-03-16
CVE-2026-24458 DoS attack via login attempts with multi-megabyte passwords — MattermostCWE-770 7.5 High2026-03-16

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.