mattermost
607 tracked vulnerabilities.
CVE-2026-9824
MEDIUM
Mattermost - Remote Cluster Metadata Enumeration via /share-channel Autocomplete
Jul 13, 2026
CVSS 4.3
CVE-2026-9820
LOW
Mattermost schemes teams endpoint exposes private team invite IDs
Jul 13, 2026
CVSS 3.8
CVE-2026-6541
MEDIUM
Mattermost - Unscoped Updates to Other Playbooks' Metric Configuration
Jul 13, 2026
CVSS 4.3
CVE-2026-9708
MEDIUM
Mattermost - Incoming Webhook User Attribution via Unvalidated Webhook Owner
Jul 13, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-9597
MEDIUM
Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint
Jul 13, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-9571
MEDIUM
Mattermost 10.11/11.6/11.7 - OAuth Refresh Token Invalidation Bypass
Jul 13, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-6850
MEDIUM
Crafted message attachment causes client-side denial of service via markdown parser regex backtracking in Mattermost
Jul 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-10106
MEDIUM
Mattermost 10.11/11.6/11.7 - Private Channel Post Action Authorization Bypass
Jul 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-10103
MEDIUM
Mattermost 10.11/11.6/11.7 - Shared Channel Post Ownership Bypass
Jul 13, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-10085
MEDIUM
Ordinary group/direct message member can enable group_constrained and remove all channel participants
Jul 13, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-9699
MEDIUM
Mattermost Agents plugin logs unsanitized OpenAI API keys on authentication errors
Jun 26, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-4339
MEDIUM
SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server
Jun 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-3472
LOW
Markdown image rendering bypass in AI bot tool result posts in Mattermost
Jun 26, 2026
CVSS 3.5
EPSS 0.00
CVE-2026-13426
MEDIUM
Client4 fails to validate path parameters
Jun 26, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-2299
MEDIUM
Improper Access Control in Mattermost Google Drive Plugin File Creation Endpoint
Jun 25, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-8823
LOW
User Manager can demote bot accounts to guest without bot-management permission
Jun 22, 2026
CVSS 3.8
EPSS 0.00
CVE-2026-9162
MEDIUM
Global session revocation does not invalidate active WebSocket connections
Jun 22, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-8074
LOW
Improper Permission Check Allows User Manager to Deactivate Bot Accounts
Jun 22, 2026
CVSS 3.8
EPSS 0.00
CVE-2026-6673
MEDIUM
Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install
Jun 22, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-6062
MEDIUM
Mattermost - IDOR in Jira Plugin Subscription Edit Endpoint
Jun 22, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-5139
MEDIUM
GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration
Jun 22, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-8683
MEDIUM
Overly long URLs crash the Mattermost Desktop App
Jun 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-6517
MEDIUM
Mattermost Desktop App fails to restrict the allow list of domains which NTLM credentials are passed
Jun 15, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-7387
HIGH
Mattermost group syncable endpoints allow privilege escalation via scheme_admin
Jun 12, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-7184
MEDIUM
Mattermost Remote Cluster PATCH API Leaks Authentication Tokens
Jun 12, 2026
CVSS 6.5
EPSS 0.00
Products
mattermost_server 451
mattermost 250
mattermost-server 212
Mattermost 104
mattermost_desktop 28
mattermost_mobile 20
confluence 14
mattermost-plugin-confluence 14
mattermost-plugin-playbooks 6
mattermost-plugin-github 4
mattermost-plugin-msteams 4
mattermost-plugin-calls 3
mattermost-plugin-jira 3
Focalboard 2
focalboard 2
mattermost-plugin-boards 2
mattermost-plugin-zoom 2
mattermost_boards 2
ms_teams 2
playbooks 2
zoom 2
Mattermost Google Drive Plugin 1
channel_export 1
github.com/mattermost/mattermost/server/public 1
legal_hold 1
mattermost-plugin-channel-export 1
mattermost-plugin-msteams-meetings 1
mattermost_channel_export 1
mattermost_packages 1
mattermost_plugins 1
Quick Filters