Go modules package
github.com/mattermost/mattermost-server
pkg:golang/github.com/mattermost/mattermost-server
Vulnerabilities (161)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-12559 | — | >= 11.0.0, < 11.0.3 | 11.0.3 | Nov 27, 2025 | Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/comm | ||
| CVE-2025-12419 | — | >= 10.12.0, < 10.12.2 | 10.12.2 | Nov 27, 2025 | Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via m | ||
| CVE-2025-55074 | — | >= 10.11.0, < 10.11.4 | 10.11.4 | Nov 18, 2025 | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects | ||
| CVE-2025-11794 | — | >= 10.11.0, < 10.11.4 | 10.11.4 | Nov 14, 2025 | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint | ||
| CVE-2025-55073 | — | >= 10.11.0, < 10.11.4 | 10.11.4 | Nov 14, 2025 | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL. | ||
| CVE-2025-55070 | — | < 11.1.0 | 11.1.0 | Nov 14, 2025 | Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events | ||
| CVE-2025-41436 | — | < 11.0.0-alpha.1 | 11.0.0-alpha.1 | Nov 14, 2025 | Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads | ||
| CVE-2025-11776 | — | < 5.3.2-0.20250815165020-c8d66301415d | 5.3.2-0.20250815165020-c8d66301415d | Nov 14, 2025 | Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint | ||
| CVE-2025-11777 | — | >= 10.11.0, < 10.11.4 | 10.11.4 | Nov 13, 2025 | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint | ||
| CVE-2025-58073 | — | >= 10.11.0, < 10.11.2 | 10.11.2 | Oct 16, 2025 | Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulati | ||
| CVE-2025-41410 | — | >= 10.10.0, < 10.10.3 | 10.10.3 | Oct 16, 2025 | Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based te | ||
| CVE-2025-10545 | — | >= 10.5.0, < 10.5.11 | 10.5.11 | Oct 16, 2025 | Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint | ||
| CVE-2025-58075 | — | >= 10.11.0, < 10.11.2 | 10.11.2 | Oct 16, 2025 | Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulati | ||
| CVE-2025-54499 | — | >= 10.5.0, < 10.5.11 | 10.5.11 | Oct 16, 2025 | Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth clie | ||
| CVE-2025-41443 | — | >= 10.5.0, < 10.5.11 | 10.5.11 | Oct 16, 2025 | Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint | ||
| CVE-2025-9081 | — | >= 10.5.0-rc1, < 10.5.9 | 10.5.9 | Sep 19, 2025 | Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration | ||
| CVE-2025-9079 | — | >= 10.8.0, < 10.8.4 | 10.8.4 | Sep 19, 2025 | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory | ||
| CVE-2025-9072 | — | >= 10.10.0, < 10.10.2 | 10.10.2 | Sep 15, 2025 | Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled | ||
| CVE-2025-9084 | — | >= 10.5.0, < 10.5.10 | 10.5.10 | Sep 15, 2025 | Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs | ||
| CVE-2025-9078 | — | >= 10.8.0, < 10.8.4 | 10.8.4 | Sep 15, 2025 | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks |
- CVE-2025-12559Nov 27, 2025affected >= 11.0.0, < 11.0.3fixed 11.0.3
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/comm
- CVE-2025-12419Nov 27, 2025affected >= 10.12.0, < 10.12.2fixed 10.12.2
Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via m
- CVE-2025-55074Nov 18, 2025affected >= 10.11.0, < 10.11.4fixed 10.11.4
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects
- CVE-2025-11794Nov 14, 2025affected >= 10.11.0, < 10.11.4fixed 10.11.4
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint
- CVE-2025-55073Nov 14, 2025affected >= 10.11.0, < 10.11.4fixed 10.11.4
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.
- CVE-2025-55070Nov 14, 2025affected < 11.1.0fixed 11.1.0
Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events
- CVE-2025-41436Nov 14, 2025affected < 11.0.0-alpha.1fixed 11.0.0-alpha.1
Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
- CVE-2025-11776Nov 14, 2025affected < 5.3.2-0.20250815165020-c8d66301415dfixed 5.3.2-0.20250815165020-c8d66301415d
Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
- CVE-2025-11777Nov 13, 2025affected >= 10.11.0, < 10.11.4fixed 10.11.4
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint
- CVE-2025-58073Oct 16, 2025affected >= 10.11.0, < 10.11.2fixed 10.11.2
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulati
- CVE-2025-41410Oct 16, 2025affected >= 10.10.0, < 10.10.3fixed 10.10.3
Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based te
- CVE-2025-10545Oct 16, 2025affected >= 10.5.0, < 10.5.11fixed 10.5.11
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint
- CVE-2025-58075Oct 16, 2025affected >= 10.11.0, < 10.11.2fixed 10.11.2
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulati
- CVE-2025-54499Oct 16, 2025affected >= 10.5.0, < 10.5.11fixed 10.5.11
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth clie
- CVE-2025-41443Oct 16, 2025affected >= 10.5.0, < 10.5.11fixed 10.5.11
Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint
- CVE-2025-9081Sep 19, 2025affected >= 10.5.0-rc1, < 10.5.9fixed 10.5.9
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
- CVE-2025-9079Sep 19, 2025affected >= 10.8.0, < 10.8.4fixed 10.8.4
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory
- CVE-2025-9072Sep 15, 2025affected >= 10.10.0, < 10.10.2fixed 10.10.2
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled
- CVE-2025-9084Sep 15, 2025affected >= 10.5.0, < 10.5.10fixed 10.5.10
Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs
- CVE-2025-9078Sep 15, 2025affected >= 10.8.0, < 10.8.4fixed 10.8.4
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks
Page 3 of 9