Go modules package
github.com/mattermost/mattermost-server
pkg:golang/github.com/mattermost/mattermost-server
Vulnerabilities (161)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-6347 | Hig | 7.6 | >= 11.5.0, < 11.5.2 | 11.5.2 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present i | |
| CVE-2026-6346 | Hig | 8.7 | < 5.3.2-0.20260326202606-fac92f4a71f3 | 5.3.2-0.20260326202606-fac92f4a71f3 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive | |
| CVE-2026-6345 | Med | 6.5 | < 5.3.2-0.20260311102650-3057ae7e83e9 | 5.3.2-0.20260311102650-3057ae7e83e9 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614 | |
| CVE-2026-6339 | Med | 4.3 | < 5.3.2-0.20260327001745-7a339a6438f5 | 5.3.2-0.20260327001745-7a339a6438f5 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown imag | |
| CVE-2026-6333 | Low | 3.5 | < 5.3.2-0.20260325160634-e738016c5920 | 5.3.2-0.20260325160634-e738016c5920 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host head | |
| CVE-2026-5163 | Med | 6.5 | < 5.3.2-0.20260401090745-f4d1abe7e8f5 | 5.3.2-0.20260401090745-f4d1abe7e8f5 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to th | |
| CVE-2026-4273 | Low | 3.7 | < 5.3.2-0.20260313190740-742e0be95074 | 5.3.2-0.20260313190740-742e0be95074 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token | |
| CVE-2026-2325 | Med | 4.3 | >= 11.5.0, < 11.5.2 | 11.5.2 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST req | |
| CVE-2026-28759 | Med | 4.3 | < 5.3.2-0.20260216150504-8738f8c4b3d4 | 5.3.2-0.20260216150504-8738f8c4b3d4 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any us | |
| CVE-2026-3590 | Med | 6.5 | >= 10.11.0-rc1, < 10.11.13 | 10.11.13 | Apr 15, 2026 | Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessi | |
| CVE-2026-27769 | Low | 2.7 | >= 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20260316060126-bc1a2b34b1f9 | 8.0.0-20260316060126-bc1a2b34b1f9 | Apr 15, 2026 | Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected | |
| CVE-2026-3113 | — | >= 11.4.0-rc1, < 11.4.1 | 11.4.1 | Mar 26, 2026 | Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export.. Mattermost Advisory ID: MMSA-2026-00593 | ||
| CVE-2026-27656 | — | >= 11.4.0-rc1, < 11.4.1 | 11.4.1 | Mar 25, 2026 | Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring | ||
| CVE-2026-26233 | — | >= 11.4.0-rc1, < 11.4.1 | 11.4.1 | Mar 25, 2026 | Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel l | ||
| CVE-2026-24692 | — | < 5.3.2-0.20260107142155-0481bd1fb045 | 5.3.2-0.20260107142155-0481bd1fb045 | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: M | ||
| CVE-2026-22545 | — | < 5.3.2-0.20260127144908-ced9a56e3988 | 5.3.2-0.20260127144908-ced9a56e3988 | Mar 16, 2026 | Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Adviso | ||
| CVE-2026-2455 | — | < 5.3.2-0.20260129133647-5d787969c2d5 | 5.3.2-0.20260129133647-5d787969c2d5 | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0. | ||
| CVE-2026-21386 | — | < 5.3.2-0.20260130144323-5bb5261c72fa | 5.3.2-0.20260130144323-5bb5261c72fa | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error mes | ||
| CVE-2026-25780 | — | < 5.3.2-0.20260123215601-86797c508c44 | 5.3.2-0.20260123215601-86797c508c44 | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Matter | ||
| CVE-2026-4265 | — | < 5.3.2-0.20260107144005-c7f6efdfb035 | 5.3.2-0.20260107144005-c7f6efdfb035 | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission a |
- affected >= 11.5.0, < 11.5.2fixed 11.5.2
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present i
- affected < 5.3.2-0.20260326202606-fac92f4a71f3fixed 5.3.2-0.20260326202606-fac92f4a71f3
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive
- affected < 5.3.2-0.20260311102650-3057ae7e83e9fixed 5.3.2-0.20260311102650-3057ae7e83e9
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614
- affected < 5.3.2-0.20260327001745-7a339a6438f5fixed 5.3.2-0.20260327001745-7a339a6438f5
Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown imag
- affected < 5.3.2-0.20260325160634-e738016c5920fixed 5.3.2-0.20260325160634-e738016c5920
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host head
- affected < 5.3.2-0.20260401090745-f4d1abe7e8f5fixed 5.3.2-0.20260401090745-f4d1abe7e8f5
Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to th
- affected < 5.3.2-0.20260313190740-742e0be95074fixed 5.3.2-0.20260313190740-742e0be95074
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token
- affected >= 11.5.0, < 11.5.2fixed 11.5.2
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST req
- affected < 5.3.2-0.20260216150504-8738f8c4b3d4fixed 5.3.2-0.20260216150504-8738f8c4b3d4
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any us
- affected >= 10.11.0-rc1, < 10.11.13fixed 10.11.13
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessi
- affected >= 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20260316060126-bc1a2b34b1f9fixed 8.0.0-20260316060126-bc1a2b34b1f9
Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected
- CVE-2026-3113Mar 26, 2026affected >= 11.4.0-rc1, < 11.4.1fixed 11.4.1
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export.. Mattermost Advisory ID: MMSA-2026-00593
- CVE-2026-27656Mar 25, 2026affected >= 11.4.0-rc1, < 11.4.1fixed 11.4.1
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring
- CVE-2026-26233Mar 25, 2026affected >= 11.4.0-rc1, < 11.4.1fixed 11.4.1
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel l
- CVE-2026-24692Mar 16, 2026affected < 5.3.2-0.20260107142155-0481bd1fb045fixed 5.3.2-0.20260107142155-0481bd1fb045
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: M
- CVE-2026-22545Mar 16, 2026affected < 5.3.2-0.20260127144908-ced9a56e3988fixed 5.3.2-0.20260127144908-ced9a56e3988
Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Adviso
- CVE-2026-2455Mar 16, 2026affected < 5.3.2-0.20260129133647-5d787969c2d5fixed 5.3.2-0.20260129133647-5d787969c2d5
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.
- CVE-2026-21386Mar 16, 2026affected < 5.3.2-0.20260130144323-5bb5261c72fafixed 5.3.2-0.20260130144323-5bb5261c72fa
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error mes
- CVE-2026-25780Mar 16, 2026affected < 5.3.2-0.20260123215601-86797c508c44fixed 5.3.2-0.20260123215601-86797c508c44
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Matter
- CVE-2026-4265Mar 16, 2026affected < 5.3.2-0.20260107144005-c7f6efdfb035fixed 5.3.2-0.20260107144005-c7f6efdfb035
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission a
Page 1 of 9