Go modules package

github.com/mattermost/mattermost-server

pkg:golang/github.com/mattermost/mattermost-server

Vulnerabilities (152)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-14350	—	>= 11.1.0	—	Feb 16, 2026	Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observ
CVE-2025-13821	—	>= 11.1.0	—	Feb 16, 2026	Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Ad
CVE-2026-0999	—	>= 11.1.0	—	Feb 16, 2026	Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548
CVE-2026-20796	—	>= 10.11.0, < 10.11.10	10.11.10	Feb 13, 2026	Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MM
CVE-2026-22892	—	>= 11.2.0, < 11.2.2	11.2.2	Feb 13, 2026	Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels t
CVE-2025-14435	—	>= 10.11.0, < 10.11.9	10.11.9	Jan 16, 2026	Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.
CVE-2025-14822	—	>= 10.11.0, < 10.11.9	10.11.9	Jan 16, 2026	Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens
CVE-2025-64641	—	>= 10.11.0, < 10.11.8	10.11.8	Dec 24, 2025	Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users in
CVE-2025-13767	—	>= 10.11.0, < 10.11.8	10.11.8	Dec 24, 2025	Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post
CVE-2025-13324	—	< 11.0.4	11.0.4	Dec 17, 2025	Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an in
CVE-2025-12421	—	>= 11.0.0, < 11.0.3	11.0.3	Nov 27, 2025	Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specia
CVE-2025-12559	—	>= 11.0.0, < 11.0.3	11.0.3	Nov 27, 2025	Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/comm
CVE-2025-12419	—	>= 10.12.0, < 10.12.2	10.12.2	Nov 27, 2025	Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via m
CVE-2025-55074	—	>= 10.11.0, < 10.11.4	10.11.4	Nov 18, 2025	Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects
CVE-2025-11794	—	>= 10.11.0, < 10.11.4	10.11.4	Nov 14, 2025	Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint
CVE-2025-55073	—	>= 10.11.0, < 10.11.4	10.11.4	Nov 14, 2025	Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.
CVE-2025-55070	—	< 11.1.0	11.1.0	Nov 14, 2025	Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events
CVE-2025-41436	—	< 11.0.0-alpha.1	11.0.0-alpha.1	Nov 14, 2025	Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
CVE-2025-11776	—	< 5.3.2-0.20250815165020-c8d66301415d	5.3.2-0.20250815165020-c8d66301415d	Nov 14, 2025	Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
CVE-2025-11777	—	>= 10.11.0, < 10.11.4	10.11.4	Nov 13, 2025	Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint

CVE-2025-14350Feb 16, 2026
affected >= 11.1.0
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observ
CVE-2025-13821Feb 16, 2026
affected >= 11.1.0
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Ad
CVE-2026-0999Feb 16, 2026
affected >= 11.1.0
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548
CVE-2026-20796Feb 13, 2026
affected >= 10.11.0, < 10.11.10fixed 10.11.10
Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MM
CVE-2026-22892Feb 13, 2026
affected >= 11.2.0, < 11.2.2fixed 11.2.2
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels t
CVE-2025-14435Jan 16, 2026
affected >= 10.11.0, < 10.11.9fixed 10.11.9
Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.
CVE-2025-14822Jan 16, 2026
affected >= 10.11.0, < 10.11.9fixed 10.11.9
Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens
CVE-2025-64641Dec 24, 2025
affected >= 10.11.0, < 10.11.8fixed 10.11.8
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users in
CVE-2025-13767Dec 24, 2025
affected >= 10.11.0, < 10.11.8fixed 10.11.8
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post
CVE-2025-13324Dec 17, 2025
affected < 11.0.4fixed 11.0.4
Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an in
CVE-2025-12421Nov 27, 2025
affected >= 11.0.0, < 11.0.3fixed 11.0.3
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specia
CVE-2025-12559Nov 27, 2025
affected >= 11.0.0, < 11.0.3fixed 11.0.3
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/comm
CVE-2025-12419Nov 27, 2025
affected >= 10.12.0, < 10.12.2fixed 10.12.2
Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via m
CVE-2025-55074Nov 18, 2025
affected >= 10.11.0, < 10.11.4fixed 10.11.4
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects
CVE-2025-11794Nov 14, 2025
affected >= 10.11.0, < 10.11.4fixed 10.11.4
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint
CVE-2025-55073Nov 14, 2025
affected >= 10.11.0, < 10.11.4fixed 10.11.4
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.
CVE-2025-55070Nov 14, 2025
affected < 11.1.0fixed 11.1.0
Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events
CVE-2025-41436Nov 14, 2025
affected < 11.0.0-alpha.1fixed 11.0.0-alpha.1
Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
CVE-2025-11776Nov 14, 2025
affected < 5.3.2-0.20250815165020-c8d66301415dfixed 5.3.2-0.20250815165020-c8d66301415d
Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
CVE-2025-11777Nov 13, 2025
affected >= 10.11.0, < 10.11.4fixed 10.11.4
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint

Page 2 of 8