Go modules package
github.com/mattermost/mattermost-server
pkg:golang/github.com/mattermost/mattermost-server
Vulnerabilities (161)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-25783 | — | < 5.3.2-0.20260129181235-1346cf529aef | 5.3.2-0.20260129181235-1346cf529aef | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586 | ||
| CVE-2026-24458 | — | < 5.3.2-0.20260129164748-7201f42d955f | 5.3.2-0.20260129164748-7201f42d955f | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00 | ||
| CVE-2026-2578 | — | < 5.3.2-0.20260127062706-c6b205f0d770 | 5.3.2-0.20260127062706-c6b205f0d770 | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579 | ||
| CVE-2026-26246 | — | < 5.3.2-0.20260115183946-38b413a27604 | 5.3.2-0.20260115183946-38b413a27604 | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. M | ||
| CVE-2026-2458 | — | < 5.3.2-0.20260113182106-a18b80ba4c32 | 5.3.2-0.20260113182106-a18b80ba4c32 | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost | ||
| CVE-2026-2457 | — | < 5.3.2-0.20260123211116-9efe617be8b8 | 5.3.2-0.20260123211116-9efe617be8b8 | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Matterm | ||
| CVE-2026-2463 | — | < 5.3.2-0.20260105134819-cc427af41b2a | 5.3.2-0.20260105134819-cc427af41b2a | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Matter | ||
| CVE-2026-2456 | — | < 5.3.2-0.20260127165411-fe3052073dc6 | 5.3.2-0.20260127165411-fe3052073dc6 | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integratio | ||
| CVE-2025-14573 | — | >= 11.1.0 | — | Feb 16, 2026 | Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561 | ||
| CVE-2025-14350 | — | >= 11.1.0 | — | Feb 16, 2026 | Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observ | ||
| CVE-2025-13821 | — | >= 11.1.0 | — | Feb 16, 2026 | Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Ad | ||
| CVE-2026-0999 | — | >= 11.1.0 | — | Feb 16, 2026 | Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548 | ||
| CVE-2026-20796 | — | >= 10.11.0, < 10.11.10 | 10.11.10 | Feb 13, 2026 | Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MM | ||
| CVE-2026-22892 | — | >= 11.2.0, < 11.2.2 | 11.2.2 | Feb 13, 2026 | Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels t | ||
| CVE-2025-14435 | — | >= 10.11.0, < 10.11.9 | 10.11.9 | Jan 16, 2026 | Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops. | ||
| CVE-2025-14822 | — | >= 10.11.0, < 10.11.9 | 10.11.9 | Jan 16, 2026 | Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens | ||
| CVE-2025-64641 | — | >= 10.11.0, < 10.11.8 | 10.11.8 | Dec 24, 2025 | Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users in | ||
| CVE-2025-13767 | — | >= 10.11.0, < 10.11.8 | 10.11.8 | Dec 24, 2025 | Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post | ||
| CVE-2025-13324 | — | < 11.0.4 | 11.0.4 | Dec 17, 2025 | Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an in | ||
| CVE-2025-12421 | Cri | 9.9 | >= 11.0.0, < 11.0.3 | 11.0.3 | Nov 27, 2025 | Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specia |
- CVE-2026-25783Mar 16, 2026affected < 5.3.2-0.20260129181235-1346cf529aeffixed 5.3.2-0.20260129181235-1346cf529aef
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586
- CVE-2026-24458Mar 16, 2026affected < 5.3.2-0.20260129164748-7201f42d955ffixed 5.3.2-0.20260129164748-7201f42d955f
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00
- CVE-2026-2578Mar 16, 2026affected < 5.3.2-0.20260127062706-c6b205f0d770fixed 5.3.2-0.20260127062706-c6b205f0d770
Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579
- CVE-2026-26246Mar 16, 2026affected < 5.3.2-0.20260115183946-38b413a27604fixed 5.3.2-0.20260115183946-38b413a27604
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. M
- CVE-2026-2458Mar 16, 2026affected < 5.3.2-0.20260113182106-a18b80ba4c32fixed 5.3.2-0.20260113182106-a18b80ba4c32
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost
- CVE-2026-2457Mar 16, 2026affected < 5.3.2-0.20260123211116-9efe617be8b8fixed 5.3.2-0.20260123211116-9efe617be8b8
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Matterm
- CVE-2026-2463Mar 16, 2026affected < 5.3.2-0.20260105134819-cc427af41b2afixed 5.3.2-0.20260105134819-cc427af41b2a
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Matter
- CVE-2026-2456Mar 16, 2026affected < 5.3.2-0.20260127165411-fe3052073dc6fixed 5.3.2-0.20260127165411-fe3052073dc6
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integratio
- CVE-2025-14573Feb 16, 2026affected >= 11.1.0
Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561
- CVE-2025-14350Feb 16, 2026affected >= 11.1.0
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observ
- CVE-2025-13821Feb 16, 2026affected >= 11.1.0
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Ad
- CVE-2026-0999Feb 16, 2026affected >= 11.1.0
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548
- CVE-2026-20796Feb 13, 2026affected >= 10.11.0, < 10.11.10fixed 10.11.10
Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MM
- CVE-2026-22892Feb 13, 2026affected >= 11.2.0, < 11.2.2fixed 11.2.2
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels t
- CVE-2025-14435Jan 16, 2026affected >= 10.11.0, < 10.11.9fixed 10.11.9
Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.
- CVE-2025-14822Jan 16, 2026affected >= 10.11.0, < 10.11.9fixed 10.11.9
Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens
- CVE-2025-64641Dec 24, 2025affected >= 10.11.0, < 10.11.8fixed 10.11.8
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users in
- CVE-2025-13767Dec 24, 2025affected >= 10.11.0, < 10.11.8fixed 10.11.8
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post
- CVE-2025-13324Dec 17, 2025affected < 11.0.4fixed 11.0.4
Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an in
- affected >= 11.0.0, < 11.0.3fixed 11.0.3
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specia
Page 2 of 9