MatterMost
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any MatterMost product.
RSS Feeds for MatterMost security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in MatterMost products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by MatterMost Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 110 vulnerabilities in MatterMost with an average score of 5.2 out of ten. Last year, in 2025 MatterMost had 93 security vulnerabilities published. That is, 17 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.07.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 110 | 5.19 |
| 2025 | 93 | 5.12 |
| 2024 | 95 | 5.21 |
| 2023 | 84 | 5.67 |
| 2022 | 25 | 6.24 |
| 2021 | 5 | 6.16 |
| 2020 | 1 | 0.00 |
It may take a day or so for new MatterMost vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent MatterMost Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-4339 | Jun 26, 2026 |
CVE-2026-4339: SSRF via Unvalidated URLs in Mattermost Agents MCP (11.6.3)Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635 |
|
| CVE-2026-9699 | Jun 26, 2026 |
Mattermost Plugins <=11.6: OpenAI API key leak via unsanitized error logsMattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609 |
|
| CVE-2026-3472 | Jun 26, 2026 |
Mattermost 10.11-11.6 Markdown Image Exfil via AI Bot Tool (Auth)Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim's client.. Mattermost Advisory ID: MMSA-2026-00619 |
|
| CVE-2026-13426 | Jun 26, 2026 |
Mattermost Go Module <0.1.22 Path Validation Failure Enables API RedirectThe Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532 |
|
| CVE-2026-2299 | Jun 25, 2026 |
Mattermost GMDrive Plugin <1.1.0 Authenticated File Share DisclosureThe Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership. |
|
| CVE-2026-8823 | Jun 22, 2026 |
Mattermost 11.7.0: Admin can downgrade bots via demoteuser APIMattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669 |
|
| CVE-2026-6062 | Jun 22, 2026 |
Unvalidated Channel Ownership in Mattermost Subscription Edit 10.11.17-11.7.xMattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650 |
|
| CVE-2026-6673 | Jun 22, 2026 |
Mattermost 11.7 Auth Bypass: Unauth POST /ac/installed SharedSecretMattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654 |
|
| CVE-2026-8074 | Jun 22, 2026 |
Mattermost 10.11 <=10.11.17 / 11.7 <=11.7.0 API Perm Check Missing (CVE-2026-8074)Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667 |
|
| CVE-2026-9162 | Jun 22, 2026 |
Mattermost <10.11.17, 11.7.0 WS Auth Invalidation FlawMattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664 |
|
| CVE-2026-5139 | Jun 22, 2026 |
Mattermost <=11.7.0/11.6.2/11.5.5/10.11.17 Auth Bypass on /gitlab connectMattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.. Mattermost Advisory ID: MMSA-2026-00644 |
|
| CVE-2026-8683 | Jun 15, 2026 |
Mattermost Desktop App <=6.1 URL Overflow Crash via window.openMattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost Advisory ID: MMSA-2026-00652 |
|
| CVE-2026-6517 | Jun 15, 2026 |
Mattermost Desktop App <=6.1 NTLM Credential Leakage via untrusted image domainsMattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651 |
|
| CVE-2026-6961 | Jun 12, 2026 |
Mattermost <=11.6.1/11.5.4 Path Traversal via FILEINFO.NameMattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661 |
|
| CVE-2026-7387 | Jun 12, 2026 |
Mattermost <=11.6.1 Auth Bypass via scheme_admin flag -> Priv EscalationMattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665 |
|
| CVE-2026-6046 | Jun 12, 2026 |
Mattermost Bot Registration Validation Bypass 10.11-11.6, Unprivileged InterceptMattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649 |
|
| CVE-2026-6689 | Jun 12, 2026 |
Mattermost Team Creation Priv Escalation 10.11-11.6Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655 |
|
| CVE-2026-7184 | Jun 12, 2026 |
Mattermost <=11.6.1 Remote Cluster API PATCH token leakage (CVE-2026-7184)Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662 |
|
| CVE-2026-6739 | Jun 12, 2026 |
Privilege Escalation in Mattermost <=11.6.1 via Role Patch APIMattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656 |
|
| CVE-2026-3433 | Jun 12, 2026 |
CVE-2026-3433: Mattermost 10.11.x-11.6 WebSocket role_updated DisclosureMattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616 |
|
| CVE-2026-6957 | May 27, 2026 |
Mattermost 1.1.5 Arbitrary File Write via Unsanitized fn (CVE-2026-6957)Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore via a malicious filename delivered through the shared-channel attachment sync protocol. Mattermost Advisory ID: MMSA-2026-00659 |
|
| CVE-2026-4915 | May 25, 2026 |
Mattermost <=11.6.0, 11.5.3, 11.4.4, 10.11.14 DoS via Null Webhook AttachmentMattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry.. Mattermost Advisory ID: MMSA-2026-00641 |
|
| CVE-2026-28735 | May 22, 2026 |
Mattermost 10.11.x10.11.14 & 11.x11.6.0: OAuth Scope Bypass via GitHub URLMattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628 |
|
| CVE-2026-4635 | May 22, 2026 |
Mattermost <= 11.6.0 Crash via Timing Delete Persistent Notification/ArchiveMattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message between the server deleting existing persistent notifications and archiving the channel.. Mattermost Advisory ID: MMSA-2026-00637 |
|
| CVE-2026-3473 | May 22, 2026 |
Mattermost <11.6 Access Control Bypass via Boards APIMattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620 |
|
| CVE-2026-4646 | May 22, 2026 |
Mattermost API Input Validation flaw (v10.1111.6) causes plugin crashMattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID: MMSA-2026-00638 |
|
| CVE-2026-3636 | May 22, 2026 |
Mattermost API Data Leak: Unsanitized Team Member Data in 10.11.x-11.6.xMattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API endpoints.. Mattermost Advisory ID: MMSA-2026-00626 |
|
| CVE-2026-5740 | May 22, 2026 |
Mattermost <12 Allow Attacker Crashes Server via msgpack-WS Frame (CVE-2026-5740)Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647 |
|
| CVE-2026-5308 | May 22, 2026 |
Mattermost 10.11.0-11.6.0: Unchecked Body Size on Plugin Endpoints (DOS)Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646 |
|
| CVE-2026-5755 | May 22, 2026 |
Mattermost <=11.6.0 TIFF IFD OOM DoS via Crafted TIFFMattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a denial of service (server OOM) via uploading a crafted TIFF file or posting a URL that serves one.. Mattermost Advisory ID: MMSA-2026-00648 |
|
| CVE-2026-22880 | May 21, 2026 |
Mattermost Mobile App: SSO Callback Origin Validation Bypass (<=2.37, 11.x)Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO code exchange flow through the mobile application. Mattermost Advisory ID: MMSA-2025-00564 |
|
| CVE-2026-4858 | May 21, 2026 |
Mattermost 10.1111.6 Path Traversal in Integration Action URL (Auth User)Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640 |
|
| CVE-2026-4055 | May 21, 2026 |
Mattermost 11.5.x <= 11.5.1 Playbook Run Create Auth BypassMattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request. Mattermost Advisory ID: MMSA-2026-00629 |
|
| CVE-2026-3471 | May 18, 2026 |
Mattermost Desktop App <=6.1 URL Injection Crash via PopupMattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618 |
|
| CVE-2026-4643 | May 18, 2026 |
Mattermost Desktop App <=6.1 Crash via window.close() in RendererMattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633 |
|
| CVE-2026-6333 | May 18, 2026 |
Mattermost Host Header Bypass in Slash Commands v10.11 <=13, v11.5 <=1Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582 |
|
| CVE-2026-6345 | May 18, 2026 |
Mattermost 10.11.13/11.5.1 Password Disclosure via User CreationMattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614 |
|
| CVE-2026-6346 | May 18, 2026 |
Mattermost 11.5.1 Sensitive Config Leak via Support Pack GenerationMattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607 |
|
| CVE-2026-28732 | May 18, 2026 |
Mattermost 11.5.1 Slash Command Hijack via Uniqueness BypassMattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597 |
|
| CVE-2026-6343 | May 18, 2026 |
Mattermost <= 11.5.1 Access Ctrl Bypass via Playbook EndpointMattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591 |
|
| CVE-2026-6347 | May 18, 2026 |
Unsanitized Call Config in Mattermost <11.6 Exposes TURN CredentialsMattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605 |
|
| CVE-2026-5163 | May 18, 2026 |
Mattermost <=11.5.1: AI Rewrite Bypasses Channel Membership (CVE-2026-5163)Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645 |
|
| CVE-2026-3117 | May 18, 2026 |
Mattermost Gitlab Plugin Permissions Bypass CVE-2026-3117 (10.13.11-11.5)Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600 |
|
| CVE-2026-4286 | May 18, 2026 |
Mattermost <=11.5.1 & 10.11.13 Playbook Team ID Bypass via PUT APIMattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552 |
|
| CVE-2026-6339 | May 18, 2026 |
Mattermost burnonread reveal endpoint XRequestedWith header flaw (v<11.5.1)Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636 |
|
| CVE-2026-6340 | May 18, 2026 |
7zip Upload Causing Memory Exhaustion in Mattermost 10.11.13, 11.4.3, 11.5.1Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory ID: MMSA-2026-00573 |
|
| CVE-2026-6341 | May 18, 2026 |
API No-Check Group Access Bypass in Mattermost Plugins <=11.5 (CVE-2026-6341)Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602 |
|
| CVE-2026-6342 | May 18, 2026 |
Mattermost Plugins <=11.5 NS Flaw Allows Subscription to Unwhitelisted GroupsMattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601 |
|
| CVE-2026-3495 | May 18, 2026 |
Mattermost <11.5.1/10.11.13: XSS via unescaped config vars in error pagesMattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622 |
|
| CVE-2026-4273 | May 18, 2026 |
Mattermost 10-11.x Token Rotation Bypass via RefreshedToken ReuseMattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575 |
|