Skip to main content

Mattermost

323 CVEs product

Monthly

CVE-2026-6541 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Mattermost's Playbooks feature permits any authenticated team member to overwrite another user's playbook metric configuration by supplying a foreign metric ID in a crafted import or update request. Affected branches are 11.7.x through 11.7.1, 11.6.x through 11.6.4, and 10.11.x through 10.11.19, where the server authorizes metric writes based on team membership alone rather than verifying that the referenced metric ID belongs to the playbook being saved. No public exploit code has been identified and this vulnerability does not appear in CISA KEV at time of analysis.

Authentication Bypass Mattermost
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9820 LOW Monitor

Insufficient sanitization of team objects in Mattermost's scheme teams API endpoint allows an authenticated user holding the User Manager role to extract invite links for private teams from API responses and use those links to join or redistribute access to those teams. Affected versions are 11.7.x through 11.7.2 and 10.11.x through 10.11.19. No public exploit identified at time of analysis and exploitation has not been confirmed by CISA KEV, but the low attack complexity (AC:L) means a malicious User Manager could reliably reproduce this without trial and error.

Authentication Bypass Mattermost
NVD
CVSS 3.1
3.8
EPSS
0.2%
CVE-2026-9824 MEDIUM This Month

Missing authorization in Mattermost's /share-channel slash command autocomplete handler allows any authenticated user to enumerate remote cluster connection metadata, regardless of whether they hold the manage_shared_channels permission. Affects three active release lines (11.7.x, 11.6.x, 10.11.x) and is classified under CWE-862 (Missing Authorization). No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; exploitation is constrained to authenticated users, limiting realistic blast radius to insider threat or compromised-account scenarios.

Authentication Bypass Mattermost
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9597 MEDIUM This Month

Deactivated guest accounts in Mattermost 11.6.x through 11.6.4 and 11.7.x through 11.7.2 can regain platform access using magic-link tokens issued before deactivation, because the magic-link login path omits an account-status check during session creation. This directly undermines guest account revocation as an access control mechanism - administrators who deactivate a guest account expecting immediate exclusion will find the control is defeatable while any pre-issued token remains valid. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Mattermost
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-6850 MEDIUM This Month

Catastrophic regex backtracking in Mattermost's client-side markdown parser can be triggered by an authenticated user posting a specially crafted message attachment, causing a denial-of-service condition for every user rendering that channel. Affected builds span versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low exploitation complexity (AC:L, PR:L) lowers the bar for any authenticated insider or compromised account.

Denial Of Service Mattermost
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-10106 MEDIUM This Month

Incorrect authorization in Mattermost's interactive post action handler allows authenticated users to trigger post actions in private channels they are not members of. The flaw stems from action cookies failing to bind to the specific channel of the target post - a cookie obtained from any accessible channel can be reused against posts in restricted private channels. Affected are Mattermost versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19; no public exploit has been identified and the vulnerability is not listed in CISA KEV.

Authentication Bypass Mattermost
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-10085 MEDIUM This Month

Mattermost's channel patch API fails to enforce authorization on the group_constrained flag, permitting any authenticated low-privilege member of a group message or direct message channel to remove all participants from the conversation. All three supported release lines are affected: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code has been identified at time of analysis; however, the low attack complexity and minimal privilege requirement make this straightforward to abuse on any reachable Mattermost deployment.

Authentication Bypass Mattermost
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-9708 MEDIUM This Month

Incoming webhook impersonation in Mattermost allows a requester holding webhook management permissions to post content attributed to arbitrary users in teams or channels those users do not belong to. Affected deployments span three active release branches: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code exists and the vulnerability is not listed in CISA KEV; the CVSS score of 4.9 correctly reflects that exploitation is constrained by the High privilege requirement, limiting realistic risk to insider threats or compromised privileged accounts.

Authentication Bypass Mattermost
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-10103 MEDIUM This Month

Post ownership verification is absent in Mattermost's shared channel inbound sync handler, allowing an authenticated remote cluster to forge sync messages that modify or delete posts authored by local users or other federated remotes. Affected versions span the 10.11.x, 11.6.x, and 11.7.x release trains up to and including 10.11.19, 11.6.4, and 11.7.2 respectively. No public exploit has been identified and CISA KEV confirmation is absent, but the integrity impact is direct and the attack complexity is low once federation trust is established.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-9571 MEDIUM This Month

Mattermost fails to invalidate OAuth refresh tokens when a user account is deactivated, enabling former users - or any attacker who possesses a valid refresh token - to continue minting functional access tokens against the OAuth refresh token grant endpoint indefinitely after access revocation should have taken effect. All three actively maintained release branches are affected (10.11.x, 11.6.x, 11.7.x), making this a cross-branch session-persistence flaw with high confidentiality and integrity impact on any workspace relying on OAuth-integrated access control. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the attack path requires minimal skill for any party already holding a refresh token.

Information Disclosure Mattermost
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48801 npm HIGH POC PATCH GHSA This Week

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by submitting tens of KB of repeated email/link-like text. The core public API LinkifyIt.prototype.match runs an O(N²) scan loop that re-slices the input and re-runs unanchored fuzzy regex searches once per match, so 64 KB of "a@b.com" burns ~2.5 s of single-threaded CPU and 128 KB ~10 s. The flaw is inherited by markdown-it (~21.6M weekly npm downloads) whenever linkify:true is set, exposing forums, chat, wikis and AI chat UIs; publicly available exploit code (a PoC in the GHSA advisory) exists, but there is no evidence of active exploitation.

Apple Node.js Mattermost Denial Of Service Gitlab
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-9699 MEDIUM This Month

Credential exposure in Mattermost Plugins (all branches ≤11.6, fixed in 10.18.11, 11.3.6, and 11.6.5.0) leaks valid or partially reconstructable OpenAI API keys into mattermost.log when the OpenAI API returns authentication failure responses. Any user with privileged read access to server logs or downloadable support packets can recover the key and authenticate to the victim organization's OpenAI account. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS Scope:Changed rating reflects that successful exploitation grants unauthorized access to an external, out-of-scope resource - the OpenAI account - with full confidentiality impact.

Mattermost Information Disclosure
NVD
CVSS 3.1
6.8
EPSS
0.3%
CVE-2026-4339 MEDIUM This Month

Server-side request forgery in the Mattermost Agents plugin MCP server (stdio mode) allows a low-privileged local attacker to make the server fetch arbitrary internal URLs submitted as file attachment references in post creation requests, enabling exfiltration of data from RFC 1918-addressed services on the internal network. Affected are Mattermost deployments running versions 10.11.x ≤ 10.11.18, 11.5.x ≤ 11.5.6, and 11.6.x ≤ 11.6.3 with the Agents plugin's MCP server active in stdio mode. No public exploit code or CISA KEV listing is present in the available data; exploitation is constrained to attackers who already have local access to the stdio MCP interface.

SSRF Mattermost Mattermost Server
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-3472 LOW Monitor

Markdown image rendering restrictions in Mattermost are bypassed specifically for AI bot tool result posts, enabling authenticated attackers to exfiltrate data to attacker-controlled infrastructure. Affected are Mattermost versions 10.11.x through 10.11.18, 11.5.x through 11.5.6, and 11.6.x through 11.6.3. When a victim's client renders an AI bot tool result post containing injected markdown image syntax, the client issues an outbound request to the attacker's server, leaking request metadata such as session tokens or channel context. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Code Injection Mattermost Mattermost Server
NVD
CVSS 3.1
3.5
EPSS
0.2%
CVE-2026-13426 MEDIUM This Month

Path traversal in Mattermost's Go server module allows authenticated remote attackers to redirect API calls to unintended endpoints by embedding path traversal components (e.g., '../') within crafted ID parameters. The affected library is github.com/mattermost/mattermost/server/public versions prior to v0.1.22, which fails to sanitize path parameters before constructing API route paths. Exploitation yields limited confidentiality and integrity impact (CVSS 5.4 Medium); no public exploit code and no CISA KEV listing have been identified at time of analysis.

Mattermost Path Traversal
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-2299 MEDIUM This Month

Missing authorization in the Mattermost Google Drive plugin's file creation endpoint (all versions before 1.1.0) allows authenticated Mattermost users with a linked Google account to share Drive files into private channels they are not a member of, and to infer the existence and membership of those private channels. The root cause is CWE-862 (Missing Authorization): the endpoint processes the target channel ID supplied by the caller without verifying the caller belongs to that channel. No public exploit has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Mattermost Google Mattermost Google Drive Plugin
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-8823 LOW Monitor

Incorrect authorization in Mattermost's demote-user API allows a lower-privileged administrator to degrade arbitrary bot accounts to guest status, affecting versions 11.7.0 and 10.11.17 and earlier. The root cause is missing validation of whether the target of a demotion operation is a bot account, meaning an admin who lacks full system privileges can still weaponize the standard API endpoint against bot identities. No public exploit exists and the vulnerability is not listed in CISA KEV; its real-world priority is low given the high-privilege requirement and limited blast radius.

Mattermost Authentication Bypass
NVD
CVSS 3.1
3.8
EPSS
0.2%
CVE-2026-6062 MEDIUM This Month

Subscription hijacking in Mattermost allows authenticated low-privileged users to take control of subscriptions belonging to channels they have no access to by submitting a crafted PUT request to the subscription edit endpoint. The root cause is a missing channel ownership validation check, classified as an Insecure Direct Object Reference (CWE-639), affecting versions across four active release branches (10.11.x, 11.5.x, 11.6.x, 11.7.x). No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6673 MEDIUM This Month

Missing authentication on the Atlassian Connect install callback in Mattermost allows a remote attacker to inject a rogue sharedSecret into an in-progress Jira integration setup. Affected versions span the 10.11.x, 11.5.x, 11.6.x, and 11.7.x release trains, all of which expose the POST /ac/installed endpoint without validating the caller's identity during the pending-install window. No public exploit has been identified at time of analysis, but a successful injection corrupts the integration's trust handshake, yielding high integrity and availability impact against the Jira connection. The vendor CVSS vector assigns PR:L, which conflicts with the description's 'remote unauthenticated attacker' language - this discrepancy warrants direct verification with Mattermost advisory MMSA-2026-00654.

Atlassian Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-8074 LOW Monitor

{id}/active endpoint despite lacking the Integrations permission required to manage bots. The server fails to apply bot-specific permission checks at this endpoint, accepting the deactivation request based solely on user management write access. While no public exploit has been identified at time of analysis, successful abuse disrupts any automated workflows or integration pipelines dependent on the targeted bot accounts.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
3.8
EPSS
0.2%
CVE-2026-9162 MEDIUM This Month

WebSocket session persistence in Mattermost allows authenticated users whose sessions have been globally revoked to bypass that revocation and continue receiving real-time platform events. Affected across four actively maintained release branches (11.7.x, 11.6.x, 11.5.x, 10.11.x), the flaw directly undermines the effectiveness of administrative session revocation - a control relied upon in account-compromise response and offboarding workflows. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS signal is absent from available data, and the vendor-assigned CVSS of 4.3 reflects correctly scoped, medium-severity risk.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-5139 MEDIUM This Month

The /gitlab connect slash command in Mattermost fails to enforce administrator-level authorization on the setDefaultInstance call, enabling any authenticated user to overwrite the workspace-wide default GitLab instance configuration. Affected across four concurrent release trains (11.7.0, 11.6.x ≤ 11.6.2, 11.5.x ≤ 11.5.5, 10.11.x ≤ 10.11.17), this missing authorization flaw (CWE-862) is exploitable by any valid Mattermost account holder without elevated privileges. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity and low privilege requirement make this accessible to any workspace member targeting GitLab integration infrastructure.

Mattermost Gitlab Authentication Bypass
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-8683 MEDIUM This Month

Denial of service in Mattermost Desktop App (versions ≤6.1 and ≤5.5.13.0) allows a malicious Mattermost server owner to crash client applications by injecting a script that calls window.open() with an excessively large URL, exploiting a missing resource limit on URL length processing. Exploitation requires user interaction - the victim must actively connect their Desktop App to an attacker-controlled server - and impact is strictly limited to application availability with no confidentiality or integrity exposure. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Mattermost Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-6517 HIGH This Week

Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harvest NTLM credentials from other users by embedding images that resolve to attacker-controlled external web servers. The client fails to enforce a strict domain allow list before forwarding Windows NTLM authentication challenges, so any post in a server without the image proxy enabled becomes a credential capture vector. No public exploit identified at time of analysis and EPSS is low (0.18%), but the scope-change CVSS of 7.7 reflects cross-user impact.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-53837 npm MEDIUM PATCH This Month

Improper access control in OpenClaw's Mattermost event handler integration allows remote unauthenticated attackers to bypass direct message (DM) policy enforcement by submitting crafted Mattermost events that deliberately omit channel type metadata. All OpenClaw versions prior to 2026.5.6 are affected. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible and unauthenticated nature of the flaw (PR:N per CVSS 4.0) makes it actionable for deployments that rely on DM policies as a meaningful access control boundary.

Authentication Bypass Mattermost Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-6961 HIGH This Week

Arbitrary file write in Mattermost via path traversal affects versions 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, and 10.11.x ≤ 10.11.15/10.11.16 when shared channels with federated peers are in use. An attacker who controls a federated Mattermost server can supply crafted FileInfo.Name values during file sync to write files to arbitrary locations in the target server's filestore. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal Mattermost
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-7387 HIGH This Week

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding group-link permissions to promote themselves or other group members to team or channel administrator by setting the scheme_admin flag through group syncable link and patch API endpoints. The flaw stems from missing role-management authorization checks, and with a CVSS of 8.8 (network, low complexity, low privileges) it enables tenant-wide takeover of collaboration workspaces; no public exploit identified at time of analysis.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6046 MEDIUM This Month

Private message interception in Mattermost affects versions 11.6.x through 11.6.1, 11.5.x through 11.5.4, and 10.11.x through 10.11.16, allowing a low-privileged attacker to receive plugin-generated direct messages intended for bot accounts. The flaw stems from the bot registration flow failing to verify that a claimed username actually belongs to a bot account, enabling an attacker who pre-registers a human account using a predictable plugin bot username to silently hijack those message channels. No public exploit code exists at time of analysis, and exploitation requires both an existing user account and advance knowledge of the target bot's username.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6689 MEDIUM This Month

Mattermost's team creation API endpoint (POST /api/v4/teams) fails to enforce the PermissionInviteUser authorization check, allowing authenticated users holding only PermissionCreateTeam to configure invite-controlled team settings - including making a team publicly joinable via open invite and restricting membership by allowed domains - that they are explicitly prohibited from setting on existing teams. Affected versions span the 10.11.x, 11.5.x, and 11.6.x release trains up to their respective latest builds. No public exploit identified at time of analysis, and the flaw has not been listed in CISA KEV.

Authentication Bypass Mattermost
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7184 MEDIUM This Month

Remote cluster authentication token disclosure in Mattermost's Secure Connections feature allows authenticated users holding the manage_secure_connections permission to retrieve plaintext inter-cluster credentials via a crafted PATCH request. Affected deployments span versions 10.11.x through 10.11.15, 11.5.x through 11.5.4, and 11.6.x through 11.6.1, with a CVSS-rated High confidentiality impact (6.5). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but successful exploitation could undermine the trust model of federated multi-cluster deployments.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6739 HIGH This Week

Privilege escalation in Mattermost collaboration platform allows authenticated users holding delegated user-management permissions to modify built-in system role permissions via the role patch API, bypassing a required system-level permission check. Affects Mattermost 10.11.x through 10.11.16, 11.5.x through 11.5.4, and 11.6.x through 11.6.1. No public exploit identified at time of analysis; EPSS is very low (0.03%) and the SSVC framework reports no observed exploitation.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-3433 MEDIUM This Month

Mattermost's WebSocket layer improperly broadcasts `role_updated` events to all authenticated connections regardless of team or channel membership, enabling guest-level authenticated users to observe permission scheme change notifications for private teams they do not belong to. Affected versions span the 10.11.x, 11.5.x, and 11.6.x release lines. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and broad version impact make patching a straightforward priority for any Mattermost deployment with guest accounts enabled.

Mattermost Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6957 HIGH This Week

Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost server plant files at attacker-chosen paths inside the target server's filestore by supplying a malicious, unsanitized filename through the shared-channel attachment sync protocol. The flaw stems from CWE-22 path traversal in the export-path construction logic and carries CVSS 8.0 with a changed scope, reflecting that a compromised or hostile federation peer can affect resources beyond the plugin's intended boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation status as 'none' but technical impact as 'total'.

Mattermost Path Traversal
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-4915 Go MEDIUM PATCH This Month

Server process termination in Mattermost is achievable by any authenticated user via a crafted outgoing webhook callback response that contains a null attachment entry - exploiting the server's failure to filter nil elements from attachment payloads before processing (CWE-754). Affected release trains span 10.11.x through 11.6.x, covering a wide installed base. No public exploit exists and EPSS is extremely low at 0.04% (12th percentile), but the availability impact is rated High by CVSS and the attack requires only low-privilege authentication over the network with no user interaction, making this a meaningful insider or compromised-account threat capable of triggering a full service outage.

Denial Of Service Mattermost
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-9354 MEDIUM POC This Month

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers to manipulate message formatting in Slack and Mattermost integrations, potentially leading to information disclosure and service disruption. The vulnerability is exploitable via crafted format_message arguments with low attack complexity and requires no user interaction. Public exploit code is available via GitHub Gist. The vendor did not respond to early disclosure attempts, and no patch availability is documented.

Information Disclosure Mattermost
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-28735 Go MEDIUM PATCH This Month

OAuth scope validation bypass in Mattermost's GitHub integration allows authenticated users to escalate repository access beyond what was originally authorized. By manipulating the scope parameter in the GitHub OAuth authorization URL before the callback is processed, a low-privileged Mattermost user can obtain a GitHub token with broader permissions - including access to private repositories - than the application intended to grant. Affecting versions across four active release branches (10.11.x through 11.6.x), this is no public exploit identified at time of analysis and is not listed in CISA KEV, but the low complexity and authentication-only barrier make it a realistic insider or compromised-account risk.

Authentication Bypass Mattermost
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4635 Go MEDIUM PATCH This Month

Server crash via race condition in Mattermost's persistent notification and channel archival subsystem allows any low-privileged authenticated user to bring down the server with no user interaction required. Affected branches span 10.11.x through 11.6.x across multiple maintenance lines. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the low authentication bar combined with network accessibility and low attack complexity makes this a credible insider threat or targeted denial-of-service vector against any exposed Mattermost deployment.

Denial Of Service Race Condition Mattermost
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3473 Go MEDIUM PATCH GHSA This Month

File ownership and access control enforcement is absent in the Boards API across four release branches of Mattermost, allowing any authenticated user to access and download files belonging to other users or teams by submitting crafted API requests containing valid file IDs. Affected deployments span versions 10.11.x through 11.6.x per EUVD-2026-31429 and vendor advisory MMSA-2026-00620. CVSS scores this at 5.9 (Medium) reflecting high attack complexity due to the file ID prerequisite; no public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-4646 Go MEDIUM PATCH This Month

Authenticated denial-of-service in Mattermost's plugin subsystem allows a low-privileged user to crash the plugin process by sending a crafted HTTP request to the PR details API endpoint. Affected across four active release branches (10.11.x, 11.4.x, 11.5.x, 11.6.x), the flaw stems from missing input validation in API request handlers (CWE-1287). No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the low authentication barrier (any valid account) combined with network accessibility makes it a realistic insider or post-compromise nuisance risk.

Denial Of Service Mattermost
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-3636 Go MEDIUM PATCH This Month

Team member role data leaks from Mattermost's API across multiple actively maintained release branches due to missing sanitization of response payloads for low-privilege callers. Any authenticated user - regardless of their team role - can invoke standard team API endpoints and receive unsanitized member objects that expose role designations such as admin or system_admin. The vulnerability spans 10.11.x through 11.6.x, has no public exploit code, and is not listed in CISA KEV, but the low attack complexity and broad version coverage make it a meaningful reconnaissance risk in enterprise or multi-tenant deployments.

Information Disclosure Mattermost
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-5740 Go HIGH PATCH GHSA This Week

Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remote attackers to crash the server process by sending a crafted msgpack-encoded binary WebSocket frame to the public endpoint. The flaw stems from missing validation of frame sizes before memory allocation, enabling a full service outage for all users. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects the unauthenticated network-reachable nature of the attack with high availability impact.

Denial Of Service Mattermost
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-5308 Go MEDIUM PATCH GHSA This Month

Denial of service in Mattermost's plugin HTTP endpoint layer allows an authenticated high-privilege attacker to exhaust server resources by sending crafted oversized HTTP request bodies. Affected across four concurrent release branches - 10.11.x through 11.6.x - with no published EPSS score and no confirmed active exploitation or public proof-of-concept at time of analysis. The CVSS score of 4.9 (Medium) accurately reflects the high-privilege prerequisite that meaningfully limits the realistic attacker population, though availability impact is rated High, meaning successful exploitation disrupts service availability entirely.

Denial Of Service Mattermost
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-5755 Go MEDIUM PATCH This Month

Uncontrolled memory allocation in Mattermost's TIFF image processing allows authenticated users to trigger server-side out-of-memory (OOM) conditions, effectively taking down the collaboration platform. Affected are all Mattermost deployments running versions 10.11.x through 11.6.0. Any account holding file upload or URL-posting permissions can exploit this remotely without elevated privileges, making it a realistic insider or compromised-account threat. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad authentication base increase practical risk.

File Upload Denial Of Service Mattermost
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-46548 npm MEDIUM PATCH GHSA This Month

SSRF protection bypass in NocoDB's notification webhook plugins (Slack, Discord, Mattermost, Teams) allows authenticated Editor-level users to issue outbound POST requests to arbitrary internal hosts, including cloud-metadata endpoints. The root cause is a misplaced axios argument: `httpAgent`/`httpsAgent` were serialized into the request body instead of being passed as axios connection config, rendering the `request-filtering-agent` SSRF guard entirely ineffective across all four plugins. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Mattermost SSRF
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22880 MEDIUM This Month

SSO authentication callback origin validation failure in Mattermost Mobile Apps enables cross-server credential theft across multiple release branches (≤11.1.3, ≤11.3.2, ≤11.0.4, ≤10.11.11, ≤2.0.37). An attacker operating a malicious Mattermost server can relay the SSO authorization code exchange through a victim's mobile application to authenticate against a separate, legitimate Mattermost server - stealing valid session credentials without the victim's awareness. No public exploit has been identified at time of analysis, and CVSS AC:H constrains this to targeted, engineered attacks rather than opportunistic mass exploitation.

Microsoft CSRF Mattermost
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-4858 Go HIGH PATCH GHSA This Week

Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitrary internal APIs using the system administrator's auth token by manipulating integration action URLs. Affected branches include 11.6.x, 11.5.x, 11.4.x, and 10.11.x, with no public exploit identified at time of analysis. CVSS 8.0 reflects high impact across confidentiality, integrity, and availability despite high attack complexity and required user interaction.

Path Traversal Mattermost
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-4055 Go MEDIUM PATCH This Month

Incorrect authorization in Mattermost Playbooks (versions 11.5.0-11.5.1) allows any authenticated team member to create playbook runs in teams where they hold no run_create permission, by supplying an arbitrary team ID in the run creation API request. The server validates permissions only against the user's originating context rather than the target team specified in the payload, a classic authorization bypass rooted in CWE-863. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the low attack complexity makes this trivially exploitable by any authenticated insider or compromised account.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3471 MEDIUM This Month

Mattermost Desktop App can be repeatedly crashed by malicious server administrators through JavaScript URL injection in pop-up windows. Attackers controlling a Mattermost server can force connected desktop clients to become unusable by exploiting improper URL validation, requiring user interaction (connecting to the malicious server). No public exploit code identified at time of analysis, though the attack method is trivial to implement given the disclosed details.

Mattermost Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4643 LOW Monitor

Mattermost Desktop App can be crashed remotely by malicious server administrators or plugin developers exploiting insufficient isolation of server-rendered content. Authenticated attackers with low-privilege server access who can control rendered content (via compromised server, malicious plugin, or modified server responses) can invoke window.close() to terminate the desktop client, causing a client-side denial of service. EPSS data not available; no public exploit code identified at time of analysis. CVSS 3.5 (Low severity) reflects limited impact scope - disruption to individual user sessions rather than system-wide compromise.

Mattermost Denial Of Service
NVD VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-6333 Go LOW PATCH Monitor

Server-Side Request Forgery in Mattermost 10.11.x through 11.5.1 allows authenticated attackers with slash command access to redirect custom slash command responses to attacker-controlled servers by manipulating the Host header. The vulnerability requires low-privileged authentication and high attack complexity (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N), resulting in a CVSS score of 3.5. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis. Vendor advisory available at mattermost.com/security-updates provides remediation guidance.

Mattermost SSRF
NVD VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-6345 Go MEDIUM PATCH This Month

Password disclosure in Mattermost Server versions 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3 allows high-privilege administrators to view newly created user credentials, enabling impersonation attacks. The CVSS score of 6.5 reflects medium severity, requiring high-privilege access (PR:H) but offering network-based exploitation (AV:N) with low complexity (AC:L). While not currently listed in CISA KEV and no public exploit identified at time of analysis, the vendor-confirmed vulnerability (Mattermost Advisory MMSA-2026-00614) presents real risk in environments where privileged accounts are compromised or insider threats exist.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6346 Go HIGH PATCH GHSA This Week

Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sanitization of configuration fields. System administrators or anyone with access to support packets can obtain database passwords, API keys, and other sensitive credentials by downloading support packets from the System Console. The vulnerability affects multiple version branches (10.11.x, 11.4.x, 11.5.x) and poses significant risk for credential theft and lateral movement.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-28732 Go MEDIUM PATCH This Month

Authenticated team members with 'Manage Own Slash Commands' permission can hijack existing slash commands in Mattermost 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 by editing their own command triggers to match already-registered system or custom commands. This privilege escalation flaw (CWE-863: Incorrect Authorization) enables command impersonation, allowing attackers to intercept and potentially manipulate user interactions with legitimate slash commands. With CVSS 4.3 (low-medium severity) and EPSS data unavailable, real-world risk depends heavily on organizational use of slash commands for sensitive operations. No public exploit identified at time of analysis, and the attack requires authenticated access with specific permissions, limiting immediate exposure compared to unauthenticated network vulnerabilities.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6343 Go MEDIUM PATCH This Month

Unauthorized access to public playbooks in Mattermost 10.11.x through 11.5.x allows authenticated users without proper permissions to retrieve public playbooks via the /get endpoint. The vulnerability affects all versions from 10.11.0 through 10.11.13, 11.4.0 through 11.4.3, and 11.5.0 through 11.5.1 due to missing public/private permission validation. With CVSS 4.3 (Medium) and requiring authenticated access (PR:L), this represents a privilege escalation issue allowing disclosure of potentially sensitive playbook configurations, but is limited to low confidentiality impact without integrity or availability compromise. No active exploitation confirmed (not in CISA KEV) and EPSS data not provided.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6347 Go HIGH PATCH GHSA This Week

Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 exposes TURN server credentials through support packets. Administrators with support packet access can extract plaintext credentials from exported plugin configurations, potentially compromising the WebRTC infrastructure used for voice/video calls. The vulnerability requires high privileges (admin) but affects confidentiality across trust boundaries (CVSS Scope:Changed).

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-5163 Go MEDIUM PATCH This Month

Authenticated Mattermost users can read private channel threads and direct messages they lack access to by exploiting the AI post rewrite endpoint. Versions 11.5.0 and 11.5.1 fail to verify channel membership before processing AI-assisted message rewrites, enabling privilege escalation from low-privileged authenticated users to access confidential communications. CVSS 6.5 reflects network-accessible attack with low complexity requiring only basic authentication. EPSS data not available; no public exploit or KEV listing identified at time of analysis.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3117 MEDIUM This Month

{option}` or `/gitlab webhook {option}`, resulting in availability impact (A:H) to the Gitlab plugin infrastructure. CVSS 6.5 reflects moderate risk, with EPSS data and active exploitation status not available at time of analysis.

Mattermost Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4286 Go LOW PATCH Monitor

Authorization bypass in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated users with 'Manage Playbook Configurations' permission to reassign playbooks to arbitrary teams via PUT API, circumventing team membership restrictions. This access control flaw enables lateral privilege escalation across team boundaries without proper authorization checks. EPSS exploitation probability data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-6339 Go MEDIUM PATCH This Month

Authenticated Mattermost channel members can forcibly reveal burn-on-read messages without recipient consent by exploiting missing X-Requested-With header validation on the reveal endpoint through crafted Markdown image tags. This bypasses the intended ephemeral messaging security control in Mattermost versions 11.4.x through 11.4.3 and 11.5.x through 11.5.1. The CVSS vector indicates network-accessible exploitation by low-privileged authenticated users with low attack complexity. Exploitation status: no public exploit identified at time of analysis. EPSS data not provided.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6340 Go MEDIUM PATCH This Month

Memory exhaustion denial of service in Mattermost Server versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 allows authenticated attackers to crash the server by uploading maliciously crafted 7zip archives containing excessive folder declarations. The vulnerability stems from insufficient validation of 7zip archive structure before decompression, enabling resource exhaustion attacks with low attack complexity. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Mattermost Denial Of Service
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6341 MEDIUM This Month

Mattermost Plugins through version 11.5 allow authenticated users to bypass group-level access controls and create issues or attach comments to locked groups they should not access. Attackers holding membership in multiple groups can exploit missing API-level authorization checks via direct API requests to write data into restricted groups, violating intended access boundaries. EPSS risk data not available; CVSS 4.3 reflects low-privilege authenticated network attack with low complexity. No active exploitation confirmed by CISA KEV at time of analysis, though vendor advisory (MMSA-2026-00602) confirms the vulnerability.

Mattermost Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6342 MEDIUM This Month

Authorization bypass in Mattermost Plugins allows authenticated users to subscribe to unauthorized notification groups by exploiting prefix-matching namespace validation. Affected versions (≤11.5, 11.1.5, 10.13.11, 11.3.4.0) fail to enforce group whitelisting, enabling low-privileged plugin users to create groups sharing prefixes with authorized groups and thereby receive notifications or access information from out-of-scope channels. EPSS data unavailable; not listed in CISA KEV; CVSS 4.3 reflects low-privilege network exploitation with limited integrity impact but no confidentiality or availability compromise.

Mattermost Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3495 Go LOW PATCH Monitor

Cross-site scripting (XSS) in Mattermost Server 10.11.0-10.11.13 and 11.5.0-11.5.1 enables authenticated administrators to inject JavaScript code through unescaped variables in error page templates. Exploitation requires high-privilege (PR:H) administrative access to site configuration settings, limiting real-world risk despite network-based attack vector (AV:N). No active exploitation confirmed (not in CISA KEV). EPSS data not available for recent CVE. This is a stored XSS vulnerability affecting administrative workflows rather than end users.

Mattermost XSS
NVD VulDB
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-4273 Go LOW PATCH Monitor

Authenticated attackers can bypass token rotation in Mattermost's remote cluster invite confirmation process by reusing original invite tokens. The flaw affects Mattermost Server versions 11.5.x through 11.5.1 and 10.11.x through 10.11.13, allowing token reuse despite intended security controls. While rated low severity (CVSS 3.7), this represents an authentication bypass vulnerability (CWE-863) that undermines session management security. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-3637 Go MEDIUM PATCH This Month

Privilege escalation in Mattermost Server allows authenticated users with revoked channel posting permissions to continue modifying their existing posts. Affected versions include 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3. Attackers bypass authorization controls by sending direct API requests to post update and patch endpoints, circumventing permission checks that should prevent post edits after privileges are revoked. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. CVSS 4.3 (Medium) reflects low integrity impact limited to existing content modification.

Mattermost Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2325 Go MEDIUM PATCH This Month

Resource exhaustion in Mattermost Server 10.11.x through 11.5.1 allows authenticated users to trigger denial of service by sending oversized HTTP POST requests to the /api/v1/meetings endpoint. The vulnerability affects three active release branches with no request size validation on the meeting start API. EPSS data not available; no confirmed active exploitation (not in CISA KEV); authentication requirement (PR:L) reduces immediate exposure to internal or compromised users. Vendor advisory MMSA-2026-00608 confirms the issue.

Mattermost Denial Of Service
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28759 Go MEDIUM PATCH This Month

Authorization bypass in Mattermost shared channel synchronization allows authenticated remote cluster administrators to remove arbitrary users from any channel, including private channels outside the attacker's authorization scope. Affects versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3. CVSS 4.3 reflects the low-privilege requirement (authenticated remote cluster) and limited impact scope (integrity only, no data exposure), though cross-tenant authorization violations in collaboration platforms warrant attention. EPSS data unavailable; no public exploit identified at time of analysis; not listed in CISA KEV.

Mattermost Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6334 Go LOW PATCH Monitor

OAuth authorization code interception in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated OAuth clients to redeem authorization codes issued to different clients. An attacker controlling a malicious OAuth application can intercept and exchange authorization codes meant for legitimate applications, potentially gaining unauthorized access to user data or sessions. CVSS score of 3.1 reflects high attack complexity and required privileges, with EPSS data not provided. Vendor patch released per Mattermost advisory MMSA-2026-00570.

Mattermost Information Disclosure Microsoft
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-4053 Go LOW PATCH Monitor

Authenticated users in Mattermost 11.5.x through 11.5.1 and 10.11.x through 10.11.13 can modify post attachments, properties, and pin status beyond the configured edit time window. The vulnerability bypasses the PostEditTimeLimit control via patch and update API endpoints, allowing indefinite modification of non-message post metadata after the intended edit window expires. CVSS 3.1 (Low) reflects network vector with high complexity and low-privilege requirements, while no public exploit or CISA KEV listing exists at time of analysis.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-4054 Go MEDIUM PATCH This Month

Client-side denial-of-service in Mattermost allows remote attackers to crash user browsers via maliciously crafted SVG files embedded in OpenGraph metadata or Markdown images. The vulnerability affects Mattermost Server versions 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3, where the server fails to validate proxied image response bodies. Attackers exploit this by serving SVG files with misleading Content-Type headers (e.g., image/png) that bypass validation, causing resource exhaustion when rendered in victim browsers. CVSS rates this 4.3 (Medium) with network attack vector requiring user interaction, while EPSS data is not available. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-45003 npm MEDIUM PATCH This Month

OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors, enabling local attackers with workspace access to redirect runtime traffic to malicious endpoints. The vulnerability requires local access and user interaction but allows high confidentiality impact through traffic interception. No active exploitation has been identified, but a vendor-released patch is available.

Mattermost Synology Information Disclosure
NVD GitHub
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-3590 Go MEDIUM PATCH This Month

Mattermost versions 10.11.x through 10.11.12, 11.3.x through 11.3.2, 11.4.x through 11.4.2, and 11.5.0 fail to enforce atomic consumption of guest magic link tokens, allowing unauthenticated attackers to establish multiple concurrent authenticated sessions from a single valid magic link. This enables unauthorized access and potential information disclosure without requiring additional credentials or user interaction beyond intercepting or obtaining the link.

Information Disclosure Mattermost
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28741 Go MEDIUM PATCH This Month

Mattermost versions 10.11.x through 10.11.12, 11.3.x through 11.3.2, 11.4.x through 11.4.2, and 11.5.0 fail to validate CSRF tokens on authentication endpoints, allowing remote attackers to update a targeted user's authentication method by tricking them into visiting a malicious page. The attack requires user interaction (UI:R) and results in high confidentiality and integrity impact, but no public exploit or CISA KEV confirmation has been identified at the time of analysis.

CSRF Mattermost
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-27769 Go LOW PATCH Monitor

Mattermost versions 10.11.0 through 10.11.12 fail to validate workspace ownership during Connected Workspaces API interactions, allowing a malicious remote server with high privileges to modify the displayed status of local users. This affects organizations using the Connected Workspaces federation feature and requires an attacker to already possess high administrative privileges on a connected remote instance. The vulnerability has CVSS 2.7 (low severity) and no public exploit code or active exploitation has been identified.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-24661 Go LOW PATCH Monitor

Mattermost Plugins versions 2.1.3.0 and earlier allow remote attackers without authentication to cause denial of service through memory exhaustion by sending oversized JSON payloads to the /changes webhook endpoint. The vulnerability stems from a lack of request body size validation, enabling attackers to exhaust server memory and crash the service. CVSS is 3.7 (low severity) with low exploitability complexity, and no public exploit or active exploitation has been confirmed.

Denial Of Service Mattermost
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-21388 Go LOW PATCH Monitor

Mattermost Plugins versions 2.3.1 and earlier allow unauthenticated remote attackers to trigger denial of service by sending oversized JSON payloads to the /lifecycle webhook endpoint, causing memory exhaustion due to missing request body size validation. CVSS 3.7 reflects low severity despite network accessibility; EPSS and active exploitation status not independently confirmed from available data.

Denial Of Service Mattermost
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-3524 HIGH This Week

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal hold data without proper permission validation. After failed authorization checks, the plugin continues processing requests instead of terminating them, enabling low-privileged authenticated users to access, create, download, and delete sensitive legal hold data through direct API calls. This represents a critical failure in access control enforcement for compliance-critical data. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Authentication Bypass Mattermost
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3112 Go MEDIUM PATCH This Month

Mattermost Advanced Logging configuration fails to properly validate file target paths, allowing authenticated system administrators to read arbitrary files from the host system during support packet generation. The vulnerability affects Mattermost versions 11.4.0 and earlier in the 11.4.x line, 11.3.1 and earlier in the 11.3.x line, 11.2.3 and earlier in the 11.2.x line, and 10.11.11 and earlier in the 10.11.x line. An authenticated administrator with access to Advanced Logging JSON configuration can craft a malicious configuration to traverse the filesystem and extract sensitive host files through the support packet mechanism. No public exploit code has been identified at time of analysis, though exploitation requires administrative privileges and is not automatable according to CISA SSVC assessment.

Path Traversal Mattermost
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-3109 LOW Monitor

Mattermost Plugins versions 11.4 and earlier, including 10.11.11.0, fail to validate webhook request timestamps, enabling attackers with high privileges to replay webhook requests and corrupt Zoom meeting state within Mattermost deployments. The vulnerability carries a CVSS score of 2.2 with low attack complexity but requires high-privilege authentication; no public exploit has been identified at time of analysis, and CISA has not flagged this for active exploitation.

Information Disclosure Mattermost
NVD VulDB
CVSS 3.1
2.2
EPSS
0.0%
CVE-2026-3115 Go MEDIUM PATCH This Month

Mattermost versions 11.2.x through 11.4.x fail to enforce view restrictions on group member endpoints, allowing authenticated guest users to enumerate user IDs beyond their authorized visibility scope. This authorization bypass requires valid credentials but enables attackers to discover internal user information through the group retrieval API. No patch is currently available for affected versions.

Authentication Bypass Mattermost
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3114 Go MEDIUM PATCH This Month

Mattermost server versions 10.11.x through 11.4.x fail to validate decompressed archive entry sizes during ZIP file extraction, allowing authenticated users with file upload permissions to trigger denial of service by uploading crafted zip bombs that exhaust server memory. The vulnerability affects Mattermost 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0, with CVSS 6.5 (medium) reflecting the requirement for prior authentication and limited scope (availability impact only). No public exploit identified at time of analysis, though the attack vector is network-accessible and requires low complexity once an attacker has valid upload credentials.

Denial Of Service File Upload Mattermost
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3116 MEDIUM This Month

Mattermost Plugins versions 11.4 and earlier fail to validate incoming request sizes on webhook endpoints, allowing authenticated attackers to trigger denial of service by sending oversized requests. The vulnerability affects multiple Mattermost release branches (10.x, 11.0.x, 11.1.x, 11.3.x) and has been assigned CVSS 4.9 (medium severity) with no public exploit identified at time of analysis. While exploitability requires high-privilege authentication and manual intervention, the lack of request size enforcement on webhooks represents a fundamental input validation gap that could disrupt service availability in production environments.

Denial Of Service Mattermost
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-3113 Go MEDIUM PATCH This Month

Mattermost bulk export functionality fails to apply proper file permissions, allowing unprivileged local users on affected servers to read sensitive exported data. Mattermost versions 11.4.0, 11.3.x through 11.3.1, 11.2.x through 11.2.3, and 10.11.x through 10.11.11 are vulnerable (CVE-2026-3113, MMSA-2026-00593). An authenticated local attacker with login credentials can access bulk export files created by other users, leading to unauthorized information disclosure of potentially sensitive team and channel communications. No public exploit code has been identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog, though the vulnerability's automatable nature and low attack complexity warrant prompt patching.

Information Disclosure Mattermost
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-3108 Go HIGH PATCH GHSA This Week

Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-generated post content, enabling authenticated low-privilege attackers to inject malicious terminal control codes when administrators export or query messages. Exploitation allows screen manipulation, fake prompt injection, and clipboard hijacking against administrators running mmctl commands, potentially leading to secondary code execution if administrators are tricked into running injected commands. CISA SSVC framework indicates no current exploitation, non-automatable attack requiring high complexity and user interaction, but with total technical impact potential.

Information Disclosure Mattermost
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-4274 Go MEDIUM PATCH This Month

Mattermost versions 11.2.x through 11.2.2, 10.11.x through 10.11.10, 11.4.0, and 11.3.x through 11.3.1 fail to properly restrict team-level access during remote cluster membership synchronization, allowing a malicious remote cluster to grant users access to entire private teams rather than limiting access to only shared channels. An authenticated attacker controlling a federated remote cluster can send crafted membership sync messages to trigger unintended team membership assignment, resulting in unauthorized access to private team resources. The EPSS score of 0.03% (percentile 7%) indicates low real-world exploitation probability, and no public exploit code has been identified at time of analysis.

Mattermost Privilege Escalation Debian
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27659 Go MEDIUM PATCH This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in Mattermost's access control policy activation endpoint due to improper CSRF token validation. Authenticated attackers can exploit this to trick administrators into activating or deactivating access control policies via crafted requests, potentially altering security posture. The vulnerability affects Mattermost versions 10.11.x through 10.11.10, 11.2.x through 11.2.2, 11.3.x through 11.3.1, and 11.4.0. No public exploitation or active KEV status has been reported, though the CISA SSVC framework indicates no current exploitation evidence and non-automatable attack requirements, limiting immediate real-world threat severity.

CSRF Mattermost
NVD VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-20719 Go MEDIUM PATCH This Month

Mattermost fails to properly sanitize external SVG rendering in link embeds, allowing unauthenticated users to trigger denial-of-service conditions in both web and desktop applications. An attacker can create a malicious GitHub issue or pull request containing a crafted external SVG that crashes the Mattermost webapp and desktop client when the link is embedded. This vulnerability affects Mattermost versions 11.4.0 and below, 11.3.1 and below, 11.2.3 and below, and 10.11.11 and below, with a CVSS score of 4.3 indicating low-to-moderate severity focused on availability impact rather than confidentiality or integrity.

Denial Of Service Mattermost
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27656 Go MEDIUM PATCH This Month

Mattermost fails to properly validate user identity in OpenID Connect authentication logic due to an overly permissive substring matching flaw in the IsSameUser() comparison function, allowing attackers with high privileges to take over arbitrary user accounts through the user discovery flow. This affects Mattermost versions 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0. While the CVSS score of 5.7 is moderate and requires high privilege access and user interaction, the core impact is account takeover with full account compromise possible.

Information Disclosure Mattermost
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-1629 MEDIUM This Month

Mattermost 10.11.x through 10.11.10 fails to clear cached permalink preview data when a user's channel access is revoked, allowing authenticated users to view private channel content through previously cached previews until the cache expires or they re-login. An authenticated attacker who previously had access to a private channel can exploit this to maintain visibility into sensitive channel communications after access removal. A patch is not currently available for this medium-severity vulnerability.

Information Disclosure Mattermost
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-26230 LOW Monitor

Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
3.8
EPSS
0.0%
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Mattermost's Playbooks feature permits any authenticated team member to overwrite another user's playbook metric configuration by supplying a foreign metric ID in a crafted import or update request. Affected branches are 11.7.x through 11.7.1, 11.6.x through 11.6.4, and 10.11.x through 10.11.19, where the server authorizes metric writes based on team membership alone rather than verifying that the referenced metric ID belongs to the playbook being saved. No public exploit code has been identified and this vulnerability does not appear in CISA KEV at time of analysis.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 3.8
LOW Monitor

Insufficient sanitization of team objects in Mattermost's scheme teams API endpoint allows an authenticated user holding the User Manager role to extract invite links for private teams from API responses and use those links to join or redistribute access to those teams. Affected versions are 11.7.x through 11.7.2 and 10.11.x through 10.11.19. No public exploit identified at time of analysis and exploitation has not been confirmed by CISA KEV, but the low attack complexity (AC:L) means a malicious User Manager could reliably reproduce this without trial and error.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in Mattermost's /share-channel slash command autocomplete handler allows any authenticated user to enumerate remote cluster connection metadata, regardless of whether they hold the manage_shared_channels permission. Affects three active release lines (11.7.x, 11.6.x, 10.11.x) and is classified under CWE-862 (Missing Authorization). No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; exploitation is constrained to authenticated users, limiting realistic blast radius to insider threat or compromised-account scenarios.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Deactivated guest accounts in Mattermost 11.6.x through 11.6.4 and 11.7.x through 11.7.2 can regain platform access using magic-link tokens issued before deactivation, because the magic-link login path omits an account-status check during session creation. This directly undermines guest account revocation as an access control mechanism - administrators who deactivate a guest account expecting immediate exclusion will find the control is defeatable while any pre-issued token remains valid. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Mattermost
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Catastrophic regex backtracking in Mattermost's client-side markdown parser can be triggered by an authenticated user posting a specially crafted message attachment, causing a denial-of-service condition for every user rendering that channel. Affected builds span versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low exploitation complexity (AC:L, PR:L) lowers the bar for any authenticated insider or compromised account.

Denial Of Service Mattermost
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Incorrect authorization in Mattermost's interactive post action handler allows authenticated users to trigger post actions in private channels they are not members of. The flaw stems from action cookies failing to bind to the specific channel of the target post - a cookie obtained from any accessible channel can be reused against posts in restricted private channels. Affected are Mattermost versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19; no public exploit has been identified and the vulnerability is not listed in CISA KEV.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Mattermost's channel patch API fails to enforce authorization on the group_constrained flag, permitting any authenticated low-privilege member of a group message or direct message channel to remove all participants from the conversation. All three supported release lines are affected: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code has been identified at time of analysis; however, the low attack complexity and minimal privilege requirement make this straightforward to abuse on any reachable Mattermost deployment.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Incoming webhook impersonation in Mattermost allows a requester holding webhook management permissions to post content attributed to arbitrary users in teams or channels those users do not belong to. Affected deployments span three active release branches: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code exists and the vulnerability is not listed in CISA KEV; the CVSS score of 4.9 correctly reflects that exploitation is constrained by the High privilege requirement, limiting realistic risk to insider threats or compromised privileged accounts.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Post ownership verification is absent in Mattermost's shared channel inbound sync handler, allowing an authenticated remote cluster to forge sync messages that modify or delete posts authored by local users or other federated remotes. Affected versions span the 10.11.x, 11.6.x, and 11.7.x release trains up to and including 10.11.19, 11.6.4, and 11.7.2 respectively. No public exploit has been identified and CISA KEV confirmation is absent, but the integrity impact is direct and the attack complexity is low once federation trust is established.

Authentication Bypass Mattermost
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Mattermost fails to invalidate OAuth refresh tokens when a user account is deactivated, enabling former users - or any attacker who possesses a valid refresh token - to continue minting functional access tokens against the OAuth refresh token grant endpoint indefinitely after access revocation should have taken effect. All three actively maintained release branches are affected (10.11.x, 11.6.x, 11.7.x), making this a cross-branch session-persistence flaw with high confidentiality and integrity impact on any workspace relying on OAuth-integrated access control. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the attack path requires minimal skill for any party already holding a refresh token.

Information Disclosure Mattermost
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by submitting tens of KB of repeated email/link-like text. The core public API LinkifyIt.prototype.match runs an O(N²) scan loop that re-slices the input and re-runs unanchored fuzzy regex searches once per match, so 64 KB of "a@b.com" burns ~2.5 s of single-threaded CPU and 128 KB ~10 s. The flaw is inherited by markdown-it (~21.6M weekly npm downloads) whenever linkify:true is set, exposing forums, chat, wikis and AI chat UIs; publicly available exploit code (a PoC in the GHSA advisory) exists, but there is no evidence of active exploitation.

Apple Node.js Mattermost +2
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

Credential exposure in Mattermost Plugins (all branches ≤11.6, fixed in 10.18.11, 11.3.6, and 11.6.5.0) leaks valid or partially reconstructable OpenAI API keys into mattermost.log when the OpenAI API returns authentication failure responses. Any user with privileged read access to server logs or downloadable support packets can recover the key and authenticate to the victim organization's OpenAI account. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS Scope:Changed rating reflects that successful exploitation grants unauthorized access to an external, out-of-scope resource - the OpenAI account - with full confidentiality impact.

Mattermost Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Server-side request forgery in the Mattermost Agents plugin MCP server (stdio mode) allows a low-privileged local attacker to make the server fetch arbitrary internal URLs submitted as file attachment references in post creation requests, enabling exfiltration of data from RFC 1918-addressed services on the internal network. Affected are Mattermost deployments running versions 10.11.x ≤ 10.11.18, 11.5.x ≤ 11.5.6, and 11.6.x ≤ 11.6.3 with the Agents plugin's MCP server active in stdio mode. No public exploit code or CISA KEV listing is present in the available data; exploitation is constrained to attackers who already have local access to the stdio MCP interface.

SSRF Mattermost Mattermost Server
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Markdown image rendering restrictions in Mattermost are bypassed specifically for AI bot tool result posts, enabling authenticated attackers to exfiltrate data to attacker-controlled infrastructure. Affected are Mattermost versions 10.11.x through 10.11.18, 11.5.x through 11.5.6, and 11.6.x through 11.6.3. When a victim's client renders an AI bot tool result post containing injected markdown image syntax, the client issues an outbound request to the attacker's server, leaking request metadata such as session tokens or channel context. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Code Injection Mattermost Mattermost Server
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Path traversal in Mattermost's Go server module allows authenticated remote attackers to redirect API calls to unintended endpoints by embedding path traversal components (e.g., '../') within crafted ID parameters. The affected library is github.com/mattermost/mattermost/server/public versions prior to v0.1.22, which fails to sanitize path parameters before constructing API route paths. Exploitation yields limited confidentiality and integrity impact (CVSS 5.4 Medium); no public exploit code and no CISA KEV listing have been identified at time of analysis.

Mattermost Path Traversal
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM This Month

Missing authorization in the Mattermost Google Drive plugin's file creation endpoint (all versions before 1.1.0) allows authenticated Mattermost users with a linked Google account to share Drive files into private channels they are not a member of, and to infer the existence and membership of those private channels. The root cause is CWE-862 (Missing Authorization): the endpoint processes the target channel ID supplied by the caller without verifying the caller belongs to that channel. No public exploit has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Mattermost Google +1
NVD GitHub VulDB
EPSS 0% CVSS 3.8
LOW Monitor

Incorrect authorization in Mattermost's demote-user API allows a lower-privileged administrator to degrade arbitrary bot accounts to guest status, affecting versions 11.7.0 and 10.11.17 and earlier. The root cause is missing validation of whether the target of a demotion operation is a bot account, meaning an admin who lacks full system privileges can still weaponize the standard API endpoint against bot identities. No public exploit exists and the vulnerability is not listed in CISA KEV; its real-world priority is low given the high-privilege requirement and limited blast radius.

Mattermost Authentication Bypass
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Subscription hijacking in Mattermost allows authenticated low-privileged users to take control of subscriptions belonging to channels they have no access to by submitting a crafted PUT request to the subscription edit endpoint. The root cause is a missing channel ownership validation check, classified as an Insecure Direct Object Reference (CWE-639), affecting versions across four active release branches (10.11.x, 11.5.x, 11.6.x, 11.7.x). No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Mattermost Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Missing authentication on the Atlassian Connect install callback in Mattermost allows a remote attacker to inject a rogue sharedSecret into an in-progress Jira integration setup. Affected versions span the 10.11.x, 11.5.x, 11.6.x, and 11.7.x release trains, all of which expose the POST /ac/installed endpoint without validating the caller's identity during the pending-install window. No public exploit has been identified at time of analysis, but a successful injection corrupts the integration's trust handshake, yielding high integrity and availability impact against the Jira connection. The vendor CVSS vector assigns PR:L, which conflicts with the description's 'remote unauthenticated attacker' language - this discrepancy warrants direct verification with Mattermost advisory MMSA-2026-00654.

Atlassian Mattermost Authentication Bypass
NVD VulDB
EPSS 0% CVSS 3.8
LOW Monitor

{id}/active endpoint despite lacking the Integrations permission required to manage bots. The server fails to apply bot-specific permission checks at this endpoint, accepting the deactivation request based solely on user management write access. While no public exploit has been identified at time of analysis, successful abuse disrupts any automated workflows or integration pipelines dependent on the targeted bot accounts.

Mattermost Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

WebSocket session persistence in Mattermost allows authenticated users whose sessions have been globally revoked to bypass that revocation and continue receiving real-time platform events. Affected across four actively maintained release branches (11.7.x, 11.6.x, 11.5.x, 10.11.x), the flaw directly undermines the effectiveness of administrative session revocation - a control relied upon in account-compromise response and offboarding workflows. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS signal is absent from available data, and the vendor-assigned CVSS of 4.3 reflects correctly scoped, medium-severity risk.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

The /gitlab connect slash command in Mattermost fails to enforce administrator-level authorization on the setDefaultInstance call, enabling any authenticated user to overwrite the workspace-wide default GitLab instance configuration. Affected across four concurrent release trains (11.7.0, 11.6.x ≤ 11.6.2, 11.5.x ≤ 11.5.5, 10.11.x ≤ 10.11.17), this missing authorization flaw (CWE-862) is exploitable by any valid Mattermost account holder without elevated privileges. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity and low privilege requirement make this accessible to any workspace member targeting GitLab integration infrastructure.

Mattermost Gitlab Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Denial of service in Mattermost Desktop App (versions ≤6.1 and ≤5.5.13.0) allows a malicious Mattermost server owner to crash client applications by injecting a script that calls window.open() with an excessively large URL, exploiting a missing resource limit on URL length processing. Exploitation requires user interaction - the victim must actively connect their Desktop App to an attacker-controlled server - and impact is strictly limited to application availability with no confidentiality or integrity exposure. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Mattermost Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harvest NTLM credentials from other users by embedding images that resolve to attacker-controlled external web servers. The client fails to enforce a strict domain allow list before forwarding Windows NTLM authentication challenges, so any post in a server without the image proxy enabled becomes a credential capture vector. No public exploit identified at time of analysis and EPSS is low (0.18%), but the scope-change CVSS of 7.7 reflects cross-user impact.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Improper access control in OpenClaw's Mattermost event handler integration allows remote unauthenticated attackers to bypass direct message (DM) policy enforcement by submitting crafted Mattermost events that deliberately omit channel type metadata. All OpenClaw versions prior to 2026.5.6 are affected. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible and unauthenticated nature of the flaw (PR:N per CVSS 4.0) makes it actionable for deployments that rely on DM policies as a meaningful access control boundary.

Authentication Bypass Mattermost Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Arbitrary file write in Mattermost via path traversal affects versions 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, and 10.11.x ≤ 10.11.15/10.11.16 when shared channels with federated peers are in use. An attacker who controls a federated Mattermost server can supply crafted FileInfo.Name values during file sync to write files to arbitrary locations in the target server's filestore. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal Mattermost
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding group-link permissions to promote themselves or other group members to team or channel administrator by setting the scheme_admin flag through group syncable link and patch API endpoints. The flaw stems from missing role-management authorization checks, and with a CVSS of 8.8 (network, low complexity, low privileges) it enables tenant-wide takeover of collaboration workspaces; no public exploit identified at time of analysis.

Authentication Bypass Mattermost
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Private message interception in Mattermost affects versions 11.6.x through 11.6.1, 11.5.x through 11.5.4, and 10.11.x through 10.11.16, allowing a low-privileged attacker to receive plugin-generated direct messages intended for bot accounts. The flaw stems from the bot registration flow failing to verify that a claimed username actually belongs to a bot account, enabling an attacker who pre-registers a human account using a predictable plugin bot username to silently hijack those message channels. No public exploit code exists at time of analysis, and exploitation requires both an existing user account and advance knowledge of the target bot's username.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Mattermost's team creation API endpoint (POST /api/v4/teams) fails to enforce the PermissionInviteUser authorization check, allowing authenticated users holding only PermissionCreateTeam to configure invite-controlled team settings - including making a team publicly joinable via open invite and restricting membership by allowed domains - that they are explicitly prohibited from setting on existing teams. Affected versions span the 10.11.x, 11.5.x, and 11.6.x release trains up to their respective latest builds. No public exploit identified at time of analysis, and the flaw has not been listed in CISA KEV.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Remote cluster authentication token disclosure in Mattermost's Secure Connections feature allows authenticated users holding the manage_secure_connections permission to retrieve plaintext inter-cluster credentials via a crafted PATCH request. Affected deployments span versions 10.11.x through 10.11.15, 11.5.x through 11.5.4, and 11.6.x through 11.6.1, with a CVSS-rated High confidentiality impact (6.5). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but successful exploitation could undermine the trust model of federated multi-cluster deployments.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in Mattermost collaboration platform allows authenticated users holding delegated user-management permissions to modify built-in system role permissions via the role patch API, bypassing a required system-level permission check. Affects Mattermost 10.11.x through 10.11.16, 11.5.x through 11.5.4, and 11.6.x through 11.6.1. No public exploit identified at time of analysis; EPSS is very low (0.03%) and the SSVC framework reports no observed exploitation.

Authentication Bypass Mattermost
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Mattermost's WebSocket layer improperly broadcasts `role_updated` events to all authenticated connections regardless of team or channel membership, enabling guest-level authenticated users to observe permission scheme change notifications for private teams they do not belong to. Affected versions span the 10.11.x, 11.5.x, and 11.6.x release lines. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and broad version impact make patching a straightforward priority for any Mattermost deployment with guest accounts enabled.

Mattermost Information Disclosure
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost server plant files at attacker-chosen paths inside the target server's filestore by supplying a malicious, unsanitized filename through the shared-channel attachment sync protocol. The flaw stems from CWE-22 path traversal in the export-path construction logic and carries CVSS 8.0 with a changed scope, reflecting that a compromised or hostile federation peer can affect resources beyond the plugin's intended boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation status as 'none' but technical impact as 'total'.

Mattermost Path Traversal
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server process termination in Mattermost is achievable by any authenticated user via a crafted outgoing webhook callback response that contains a null attachment entry - exploiting the server's failure to filter nil elements from attachment payloads before processing (CWE-754). Affected release trains span 10.11.x through 11.6.x, covering a wide installed base. No public exploit exists and EPSS is extremely low at 0.04% (12th percentile), but the availability impact is rated High by CVSS and the attack requires only low-privilege authentication over the network with no user interaction, making this a meaningful insider or compromised-account threat capable of triggering a full service outage.

Denial Of Service Mattermost
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers to manipulate message formatting in Slack and Mattermost integrations, potentially leading to information disclosure and service disruption. The vulnerability is exploitable via crafted format_message arguments with low attack complexity and requires no user interaction. Public exploit code is available via GitHub Gist. The vendor did not respond to early disclosure attempts, and no patch availability is documented.

Information Disclosure Mattermost
NVD VulDB GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

OAuth scope validation bypass in Mattermost's GitHub integration allows authenticated users to escalate repository access beyond what was originally authorized. By manipulating the scope parameter in the GitHub OAuth authorization URL before the callback is processed, a low-privileged Mattermost user can obtain a GitHub token with broader permissions - including access to private repositories - than the application intended to grant. Affecting versions across four active release branches (10.11.x through 11.6.x), this is no public exploit identified at time of analysis and is not listed in CISA KEV, but the low complexity and authentication-only barrier make it a realistic insider or compromised-account risk.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server crash via race condition in Mattermost's persistent notification and channel archival subsystem allows any low-privileged authenticated user to bring down the server with no user interaction required. Affected branches span 10.11.x through 11.6.x across multiple maintenance lines. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the low authentication bar combined with network accessibility and low attack complexity makes this a credible insider threat or targeted denial-of-service vector against any exposed Mattermost deployment.

Denial Of Service Race Condition Mattermost
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

File ownership and access control enforcement is absent in the Boards API across four release branches of Mattermost, allowing any authenticated user to access and download files belonging to other users or teams by submitting crafted API requests containing valid file IDs. Affected deployments span versions 10.11.x through 11.6.x per EUVD-2026-31429 and vendor advisory MMSA-2026-00620. CVSS scores this at 5.9 (Medium) reflecting high attack complexity due to the file ID prerequisite; no public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Mattermost
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authenticated denial-of-service in Mattermost's plugin subsystem allows a low-privileged user to crash the plugin process by sending a crafted HTTP request to the PR details API endpoint. Affected across four active release branches (10.11.x, 11.4.x, 11.5.x, 11.6.x), the flaw stems from missing input validation in API request handlers (CWE-1287). No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the low authentication barrier (any valid account) combined with network accessibility makes it a realistic insider or post-compromise nuisance risk.

Denial Of Service Mattermost
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Team member role data leaks from Mattermost's API across multiple actively maintained release branches due to missing sanitization of response payloads for low-privilege callers. Any authenticated user - regardless of their team role - can invoke standard team API endpoints and receive unsanitized member objects that expose role designations such as admin or system_admin. The vulnerability spans 10.11.x through 11.6.x, has no public exploit code, and is not listed in CISA KEV, but the low attack complexity and broad version coverage make it a meaningful reconnaissance risk in enterprise or multi-tenant deployments.

Information Disclosure Mattermost
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remote attackers to crash the server process by sending a crafted msgpack-encoded binary WebSocket frame to the public endpoint. The flaw stems from missing validation of frame sizes before memory allocation, enabling a full service outage for all users. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects the unauthenticated network-reachable nature of the attack with high availability impact.

Denial Of Service Mattermost
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Denial of service in Mattermost's plugin HTTP endpoint layer allows an authenticated high-privilege attacker to exhaust server resources by sending crafted oversized HTTP request bodies. Affected across four concurrent release branches - 10.11.x through 11.6.x - with no published EPSS score and no confirmed active exploitation or public proof-of-concept at time of analysis. The CVSS score of 4.9 (Medium) accurately reflects the high-privilege prerequisite that meaningfully limits the realistic attacker population, though availability impact is rated High, meaning successful exploitation disrupts service availability entirely.

Denial Of Service Mattermost
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uncontrolled memory allocation in Mattermost's TIFF image processing allows authenticated users to trigger server-side out-of-memory (OOM) conditions, effectively taking down the collaboration platform. Affected are all Mattermost deployments running versions 10.11.x through 11.6.0. Any account holding file upload or URL-posting permissions can exploit this remotely without elevated privileges, making it a realistic insider or compromised-account threat. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad authentication base increase practical risk.

File Upload Denial Of Service Mattermost
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

SSRF protection bypass in NocoDB's notification webhook plugins (Slack, Discord, Mattermost, Teams) allows authenticated Editor-level users to issue outbound POST requests to arbitrary internal hosts, including cloud-metadata endpoints. The root cause is a misplaced axios argument: `httpAgent`/`httpsAgent` were serialized into the request body instead of being passed as axios connection config, rendering the `request-filtering-agent` SSRF guard entirely ineffective across all four plugins. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Mattermost SSRF
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

SSO authentication callback origin validation failure in Mattermost Mobile Apps enables cross-server credential theft across multiple release branches (≤11.1.3, ≤11.3.2, ≤11.0.4, ≤10.11.11, ≤2.0.37). An attacker operating a malicious Mattermost server can relay the SSO authorization code exchange through a victim's mobile application to authenticate against a separate, legitimate Mattermost server - stealing valid session credentials without the victim's awareness. No public exploit has been identified at time of analysis, and CVSS AC:H constrains this to targeted, engineered attacks rather than opportunistic mass exploitation.

Microsoft CSRF Mattermost
NVD VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitrary internal APIs using the system administrator's auth token by manipulating integration action URLs. Affected branches include 11.6.x, 11.5.x, 11.4.x, and 10.11.x, with no public exploit identified at time of analysis. CVSS 8.0 reflects high impact across confidentiality, integrity, and availability despite high attack complexity and required user interaction.

Path Traversal Mattermost
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect authorization in Mattermost Playbooks (versions 11.5.0-11.5.1) allows any authenticated team member to create playbook runs in teams where they hold no run_create permission, by supplying an arbitrary team ID in the run creation API request. The server validates permissions only against the user's originating context rather than the target team specified in the payload, a classic authorization bypass rooted in CWE-863. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the low attack complexity makes this trivially exploitable by any authenticated insider or compromised account.

Authentication Bypass Mattermost
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Mattermost Desktop App can be repeatedly crashed by malicious server administrators through JavaScript URL injection in pop-up windows. Attackers controlling a Mattermost server can force connected desktop clients to become unusable by exploiting improper URL validation, requiring user interaction (connecting to the malicious server). No public exploit code identified at time of analysis, though the attack method is trivial to implement given the disclosed details.

Mattermost Denial Of Service
NVD VulDB
EPSS 0% CVSS 3.5
LOW Monitor

Mattermost Desktop App can be crashed remotely by malicious server administrators or plugin developers exploiting insufficient isolation of server-rendered content. Authenticated attackers with low-privilege server access who can control rendered content (via compromised server, malicious plugin, or modified server responses) can invoke window.close() to terminate the desktop client, causing a client-side denial of service. EPSS data not available; no public exploit code identified at time of analysis. CVSS 3.5 (Low severity) reflects limited impact scope - disruption to individual user sessions rather than system-wide compromise.

Mattermost Denial Of Service
NVD VulDB
EPSS 0% CVSS 3.5
LOW PATCH Monitor

Server-Side Request Forgery in Mattermost 10.11.x through 11.5.1 allows authenticated attackers with slash command access to redirect custom slash command responses to attacker-controlled servers by manipulating the Host header. The vulnerability requires low-privileged authentication and high attack complexity (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N), resulting in a CVSS score of 3.5. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis. Vendor advisory available at mattermost.com/security-updates provides remediation guidance.

Mattermost SSRF
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Password disclosure in Mattermost Server versions 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3 allows high-privilege administrators to view newly created user credentials, enabling impersonation attacks. The CVSS score of 6.5 reflects medium severity, requiring high-privilege access (PR:H) but offering network-based exploitation (AV:N) with low complexity (AC:L). While not currently listed in CISA KEV and no public exploit identified at time of analysis, the vendor-confirmed vulnerability (Mattermost Advisory MMSA-2026-00614) presents real risk in environments where privileged accounts are compromised or insider threats exist.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sanitization of configuration fields. System administrators or anyone with access to support packets can obtain database passwords, API keys, and other sensitive credentials by downloading support packets from the System Console. The vulnerability affects multiple version branches (10.11.x, 11.4.x, 11.5.x) and poses significant risk for credential theft and lateral movement.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authenticated team members with 'Manage Own Slash Commands' permission can hijack existing slash commands in Mattermost 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 by editing their own command triggers to match already-registered system or custom commands. This privilege escalation flaw (CWE-863: Incorrect Authorization) enables command impersonation, allowing attackers to intercept and potentially manipulate user interactions with legitimate slash commands. With CVSS 4.3 (low-medium severity) and EPSS data unavailable, real-world risk depends heavily on organizational use of slash commands for sensitive operations. No public exploit identified at time of analysis, and the attack requires authenticated access with specific permissions, limiting immediate exposure compared to unauthenticated network vulnerabilities.

Mattermost Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthorized access to public playbooks in Mattermost 10.11.x through 11.5.x allows authenticated users without proper permissions to retrieve public playbooks via the /get endpoint. The vulnerability affects all versions from 10.11.0 through 10.11.13, 11.4.0 through 11.4.3, and 11.5.0 through 11.5.1 due to missing public/private permission validation. With CVSS 4.3 (Medium) and requiring authenticated access (PR:L), this represents a privilege escalation issue allowing disclosure of potentially sensitive playbook configurations, but is limited to low confidentiality impact without integrity or availability compromise. No active exploitation confirmed (not in CISA KEV) and EPSS data not provided.

Mattermost Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 exposes TURN server credentials through support packets. Administrators with support packet access can extract plaintext credentials from exported plugin configurations, potentially compromising the WebRTC infrastructure used for voice/video calls. The vulnerability requires high privileges (admin) but affects confidentiality across trust boundaries (CVSS Scope:Changed).

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Authenticated Mattermost users can read private channel threads and direct messages they lack access to by exploiting the AI post rewrite endpoint. Versions 11.5.0 and 11.5.1 fail to verify channel membership before processing AI-assisted message rewrites, enabling privilege escalation from low-privileged authenticated users to access confidential communications. CVSS 6.5 reflects network-accessible attack with low complexity requiring only basic authentication. EPSS data not available; no public exploit or KEV listing identified at time of analysis.

Mattermost Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

{option}` or `/gitlab webhook {option}`, resulting in availability impact (A:H) to the Gitlab plugin infrastructure. CVSS 6.5 reflects moderate risk, with EPSS data and active exploitation status not available at time of analysis.

Mattermost Authentication Bypass Gitlab
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Authorization bypass in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated users with 'Manage Playbook Configurations' permission to reassign playbooks to arbitrary teams via PUT API, circumventing team membership restrictions. This access control flaw enables lateral privilege escalation across team boundaries without proper authorization checks. EPSS exploitation probability data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Mattermost Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authenticated Mattermost channel members can forcibly reveal burn-on-read messages without recipient consent by exploiting missing X-Requested-With header validation on the reveal endpoint through crafted Markdown image tags. This bypasses the intended ephemeral messaging security control in Mattermost versions 11.4.x through 11.4.3 and 11.5.x through 11.5.1. The CVSS vector indicates network-accessible exploitation by low-privileged authenticated users with low attack complexity. Exploitation status: no public exploit identified at time of analysis. EPSS data not provided.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Memory exhaustion denial of service in Mattermost Server versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 allows authenticated attackers to crash the server by uploading maliciously crafted 7zip archives containing excessive folder declarations. The vulnerability stems from insufficient validation of 7zip archive structure before decompression, enabling resource exhaustion attacks with low attack complexity. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Mattermost Denial Of Service
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Mattermost Plugins through version 11.5 allow authenticated users to bypass group-level access controls and create issues or attach comments to locked groups they should not access. Attackers holding membership in multiple groups can exploit missing API-level authorization checks via direct API requests to write data into restricted groups, violating intended access boundaries. EPSS risk data not available; CVSS 4.3 reflects low-privilege authenticated network attack with low complexity. No active exploitation confirmed by CISA KEV at time of analysis, though vendor advisory (MMSA-2026-00602) confirms the vulnerability.

Mattermost Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in Mattermost Plugins allows authenticated users to subscribe to unauthorized notification groups by exploiting prefix-matching namespace validation. Affected versions (≤11.5, 11.1.5, 10.13.11, 11.3.4.0) fail to enforce group whitelisting, enabling low-privileged plugin users to create groups sharing prefixes with authorized groups and thereby receive notifications or access information from out-of-scope channels. EPSS data unavailable; not listed in CISA KEV; CVSS 4.3 reflects low-privilege network exploitation with limited integrity impact but no confidentiality or availability compromise.

Mattermost Authentication Bypass
NVD
EPSS 0% CVSS 3.8
LOW PATCH Monitor

Cross-site scripting (XSS) in Mattermost Server 10.11.0-10.11.13 and 11.5.0-11.5.1 enables authenticated administrators to inject JavaScript code through unescaped variables in error page templates. Exploitation requires high-privilege (PR:H) administrative access to site configuration settings, limiting real-world risk despite network-based attack vector (AV:N). No active exploitation confirmed (not in CISA KEV). EPSS data not available for recent CVE. This is a stored XSS vulnerability affecting administrative workflows rather than end users.

Mattermost XSS
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Authenticated attackers can bypass token rotation in Mattermost's remote cluster invite confirmation process by reusing original invite tokens. The flaw affects Mattermost Server versions 11.5.x through 11.5.1 and 10.11.x through 10.11.13, allowing token reuse despite intended security controls. While rated low severity (CVSS 3.7), this represents an authentication bypass vulnerability (CWE-863) that undermines session management security. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Mattermost Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Privilege escalation in Mattermost Server allows authenticated users with revoked channel posting permissions to continue modifying their existing posts. Affected versions include 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3. Attackers bypass authorization controls by sending direct API requests to post update and patch endpoints, circumventing permission checks that should prevent post edits after privileges are revoked. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. CVSS 4.3 (Medium) reflects low integrity impact limited to existing content modification.

Mattermost Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Resource exhaustion in Mattermost Server 10.11.x through 11.5.1 allows authenticated users to trigger denial of service by sending oversized HTTP POST requests to the /api/v1/meetings endpoint. The vulnerability affects three active release branches with no request size validation on the meeting start API. EPSS data not available; no confirmed active exploitation (not in CISA KEV); authentication requirement (PR:L) reduces immediate exposure to internal or compromised users. Vendor advisory MMSA-2026-00608 confirms the issue.

Mattermost Denial Of Service
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authorization bypass in Mattermost shared channel synchronization allows authenticated remote cluster administrators to remove arbitrary users from any channel, including private channels outside the attacker's authorization scope. Affects versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3. CVSS 4.3 reflects the low-privilege requirement (authenticated remote cluster) and limited impact scope (integrity only, no data exposure), though cross-tenant authorization violations in collaboration platforms warrant attention. EPSS data unavailable; no public exploit identified at time of analysis; not listed in CISA KEV.

Mattermost Authentication Bypass
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

OAuth authorization code interception in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated OAuth clients to redeem authorization codes issued to different clients. An attacker controlling a malicious OAuth application can intercept and exchange authorization codes meant for legitimate applications, potentially gaining unauthorized access to user data or sessions. CVSS score of 3.1 reflects high attack complexity and required privileges, with EPSS data not provided. Vendor patch released per Mattermost advisory MMSA-2026-00570.

Mattermost Information Disclosure Microsoft
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Authenticated users in Mattermost 11.5.x through 11.5.1 and 10.11.x through 10.11.13 can modify post attachments, properties, and pin status beyond the configured edit time window. The vulnerability bypasses the PostEditTimeLimit control via patch and update API endpoints, allowing indefinite modification of non-message post metadata after the intended edit window expires. CVSS 3.1 (Low) reflects network vector with high complexity and low-privilege requirements, while no public exploit or CISA KEV listing exists at time of analysis.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Client-side denial-of-service in Mattermost allows remote attackers to crash user browsers via maliciously crafted SVG files embedded in OpenGraph metadata or Markdown images. The vulnerability affects Mattermost Server versions 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3, where the server fails to validate proxied image response bodies. Attackers exploit this by serving SVG files with misleading Content-Type headers (e.g., image/png) that bypass validation, causing resource exhaustion when rendered in victim browsers. CVSS rates this 4.3 (Medium) with network attack vector requiring user interaction, while EPSS data is not available. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors, enabling local attackers with workspace access to redirect runtime traffic to malicious endpoints. The vulnerability requires local access and user interaction but allows high confidentiality impact through traffic interception. No active exploitation has been identified, but a vendor-released patch is available.

Mattermost Synology Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Mattermost versions 10.11.x through 10.11.12, 11.3.x through 11.3.2, 11.4.x through 11.4.2, and 11.5.0 fail to enforce atomic consumption of guest magic link tokens, allowing unauthenticated attackers to establish multiple concurrent authenticated sessions from a single valid magic link. This enables unauthorized access and potential information disclosure without requiring additional credentials or user interaction beyond intercepting or obtaining the link.

Information Disclosure Mattermost
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Mattermost versions 10.11.x through 10.11.12, 11.3.x through 11.3.2, 11.4.x through 11.4.2, and 11.5.0 fail to validate CSRF tokens on authentication endpoints, allowing remote attackers to update a targeted user's authentication method by tricking them into visiting a malicious page. The attack requires user interaction (UI:R) and results in high confidentiality and integrity impact, but no public exploit or CISA KEV confirmation has been identified at the time of analysis.

CSRF Mattermost
NVD VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Mattermost versions 10.11.0 through 10.11.12 fail to validate workspace ownership during Connected Workspaces API interactions, allowing a malicious remote server with high privileges to modify the displayed status of local users. This affects organizations using the Connected Workspaces federation feature and requires an attacker to already possess high administrative privileges on a connected remote instance. The vulnerability has CVSS 2.7 (low severity) and no public exploit code or active exploitation has been identified.

Authentication Bypass Mattermost
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Mattermost Plugins versions 2.1.3.0 and earlier allow remote attackers without authentication to cause denial of service through memory exhaustion by sending oversized JSON payloads to the /changes webhook endpoint. The vulnerability stems from a lack of request body size validation, enabling attackers to exhaust server memory and crash the service. CVSS is 3.7 (low severity) with low exploitability complexity, and no public exploit or active exploitation has been confirmed.

Denial Of Service Mattermost
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Mattermost Plugins versions 2.3.1 and earlier allow unauthenticated remote attackers to trigger denial of service by sending oversized JSON payloads to the /lifecycle webhook endpoint, causing memory exhaustion due to missing request body size validation. CVSS 3.7 reflects low severity despite network accessibility; EPSS and active exploitation status not independently confirmed from available data.

Denial Of Service Mattermost
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal hold data without proper permission validation. After failed authorization checks, the plugin continues processing requests instead of terminating them, enabling low-privileged authenticated users to access, create, download, and delete sensitive legal hold data through direct API calls. This represents a critical failure in access control enforcement for compliance-critical data. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Mattermost Advanced Logging configuration fails to properly validate file target paths, allowing authenticated system administrators to read arbitrary files from the host system during support packet generation. The vulnerability affects Mattermost versions 11.4.0 and earlier in the 11.4.x line, 11.3.1 and earlier in the 11.3.x line, 11.2.3 and earlier in the 11.2.x line, and 10.11.11 and earlier in the 10.11.x line. An authenticated administrator with access to Advanced Logging JSON configuration can craft a malicious configuration to traverse the filesystem and extract sensitive host files through the support packet mechanism. No public exploit code has been identified at time of analysis, though exploitation requires administrative privileges and is not automatable according to CISA SSVC assessment.

Path Traversal Mattermost
NVD VulDB
EPSS 0% CVSS 2.2
LOW Monitor

Mattermost Plugins versions 11.4 and earlier, including 10.11.11.0, fail to validate webhook request timestamps, enabling attackers with high privileges to replay webhook requests and corrupt Zoom meeting state within Mattermost deployments. The vulnerability carries a CVSS score of 2.2 with low attack complexity but requires high-privilege authentication; no public exploit has been identified at time of analysis, and CISA has not flagged this for active exploitation.

Information Disclosure Mattermost
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Mattermost versions 11.2.x through 11.4.x fail to enforce view restrictions on group member endpoints, allowing authenticated guest users to enumerate user IDs beyond their authorized visibility scope. This authorization bypass requires valid credentials but enables attackers to discover internal user information through the group retrieval API. No patch is currently available for affected versions.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Mattermost server versions 10.11.x through 11.4.x fail to validate decompressed archive entry sizes during ZIP file extraction, allowing authenticated users with file upload permissions to trigger denial of service by uploading crafted zip bombs that exhaust server memory. The vulnerability affects Mattermost 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0, with CVSS 6.5 (medium) reflecting the requirement for prior authentication and limited scope (availability impact only). No public exploit identified at time of analysis, though the attack vector is network-accessible and requires low complexity once an attacker has valid upload credentials.

Denial Of Service File Upload Mattermost
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Mattermost Plugins versions 11.4 and earlier fail to validate incoming request sizes on webhook endpoints, allowing authenticated attackers to trigger denial of service by sending oversized requests. The vulnerability affects multiple Mattermost release branches (10.x, 11.0.x, 11.1.x, 11.3.x) and has been assigned CVSS 4.9 (medium severity) with no public exploit identified at time of analysis. While exploitability requires high-privilege authentication and manual intervention, the lack of request size enforcement on webhooks represents a fundamental input validation gap that could disrupt service availability in production environments.

Denial Of Service Mattermost
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Mattermost bulk export functionality fails to apply proper file permissions, allowing unprivileged local users on affected servers to read sensitive exported data. Mattermost versions 11.4.0, 11.3.x through 11.3.1, 11.2.x through 11.2.3, and 10.11.x through 10.11.11 are vulnerable (CVE-2026-3113, MMSA-2026-00593). An authenticated local attacker with login credentials can access bulk export files created by other users, leading to unauthorized information disclosure of potentially sensitive team and channel communications. No public exploit code has been identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog, though the vulnerability's automatable nature and low attack complexity warrant prompt patching.

Information Disclosure Mattermost
NVD
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-generated post content, enabling authenticated low-privilege attackers to inject malicious terminal control codes when administrators export or query messages. Exploitation allows screen manipulation, fake prompt injection, and clipboard hijacking against administrators running mmctl commands, potentially leading to secondary code execution if administrators are tricked into running injected commands. CISA SSVC framework indicates no current exploitation, non-automatable attack requiring high complexity and user interaction, but with total technical impact potential.

Information Disclosure Mattermost
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Mattermost versions 11.2.x through 11.2.2, 10.11.x through 10.11.10, 11.4.0, and 11.3.x through 11.3.1 fail to properly restrict team-level access during remote cluster membership synchronization, allowing a malicious remote cluster to grant users access to entire private teams rather than limiting access to only shared channels. An authenticated attacker controlling a federated remote cluster can send crafted membership sync messages to trigger unintended team membership assignment, resulting in unauthorized access to private team resources. The EPSS score of 0.03% (percentile 7%) indicates low real-world exploitation probability, and no public exploit code has been identified at time of analysis.

Mattermost Privilege Escalation Debian
NVD
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in Mattermost's access control policy activation endpoint due to improper CSRF token validation. Authenticated attackers can exploit this to trick administrators into activating or deactivating access control policies via crafted requests, potentially altering security posture. The vulnerability affects Mattermost versions 10.11.x through 10.11.10, 11.2.x through 11.2.2, 11.3.x through 11.3.1, and 11.4.0. No public exploitation or active KEV status has been reported, though the CISA SSVC framework indicates no current exploitation evidence and non-automatable attack requirements, limiting immediate real-world threat severity.

CSRF Mattermost
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Mattermost fails to properly sanitize external SVG rendering in link embeds, allowing unauthenticated users to trigger denial-of-service conditions in both web and desktop applications. An attacker can create a malicious GitHub issue or pull request containing a crafted external SVG that crashes the Mattermost webapp and desktop client when the link is embedded. This vulnerability affects Mattermost versions 11.4.0 and below, 11.3.1 and below, 11.2.3 and below, and 10.11.11 and below, with a CVSS score of 4.3 indicating low-to-moderate severity focused on availability impact rather than confidentiality or integrity.

Denial Of Service Mattermost
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Mattermost fails to properly validate user identity in OpenID Connect authentication logic due to an overly permissive substring matching flaw in the IsSameUser() comparison function, allowing attackers with high privileges to take over arbitrary user accounts through the user discovery flow. This affects Mattermost versions 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0. While the CVSS score of 5.7 is moderate and requires high privilege access and user interaction, the core impact is account takeover with full account compromise possible.

Information Disclosure Mattermost
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Mattermost 10.11.x through 10.11.10 fails to clear cached permalink preview data when a user's channel access is revoked, allowing authenticated users to view private channel content through previously cached previews until the cache expires or they re-login. An authenticated attacker who previously had access to a private channel can exploit this to maintain visibility into sensitive channel communications after access removal. A patch is not currently available for this medium-severity vulnerability.

Information Disclosure Mattermost
NVD VulDB
EPSS 0% CVSS 3.8
LOW Monitor

Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role.

Authentication Bypass Mattermost
NVD VulDB
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy