MatterMost MatterMost

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any MatterMost product.

RSS Feeds for MatterMost security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in MatterMost products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by MatterMost Sorted by Most Security Vulnerabilities since 2018

MatterMost371 vulnerabilities

Mattermost Server117 vulnerabilities

Mattermost Desktop12 vulnerabilities

Mattermost Mobile10 vulnerabilities

Mattermost Boards2 vulnerabilities

MatterMost Playbooks2 vulnerabilities

MatterMost Focalboard1 vulnerability

By the Year

In 2026 there have been 110 vulnerabilities in MatterMost with an average score of 5.2 out of ten. Last year, in 2025 MatterMost had 93 security vulnerabilities published. That is, 17 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.07.




Year Vulnerabilities Average Score
2026 110 5.19
2025 93 5.12
2024 95 5.21
2023 84 5.67
2022 25 6.24
2021 5 6.16
2020 1 0.00

It may take a day or so for new MatterMost vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent MatterMost Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-4339 Jun 26, 2026
CVE-2026-4339: SSRF via Unvalidated URLs in Mattermost Agents MCP (11.6.3) Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635
Mattermost
CVE-2026-9699 Jun 26, 2026
Mattermost Plugins <=11.6: OpenAI API key leak via unsanitized error logs Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609
Mattermost
CVE-2026-3472 Jun 26, 2026
Mattermost 10.11-11.6 Markdown Image Exfil via AI Bot Tool (Auth) Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into tool result content rendered by a victim's client.. Mattermost Advisory ID: MMSA-2026-00619
Mattermost
CVE-2026-13426 Jun 26, 2026
Mattermost Go Module <0.1.22 Path Validation Failure Enables API Redirect The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532
Mattermost
CVE-2026-2299 Jun 25, 2026
Mattermost GMDrive Plugin <1.1.0 Authenticated File Share Disclosure The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.
Mattermost
CVE-2026-8823 Jun 22, 2026
Mattermost 11.7.0: Admin can downgrade bots via demoteuser API Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669
Mattermost
CVE-2026-6062 Jun 22, 2026
Unvalidated Channel Ownership in Mattermost Subscription Edit 10.11.17-11.7.x Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650
Mattermost
CVE-2026-6673 Jun 22, 2026
Mattermost 11.7 Auth Bypass: Unauth POST /ac/installed SharedSecret Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654
Mattermost
CVE-2026-8074 Jun 22, 2026
Mattermost 10.11 <=10.11.17 / 11.7 <=11.7.0 API Perm Check Missing (CVE-2026-8074) Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/{id}/active API endpoint.. Mattermost Advisory ID: MMSA-2026-00667
Mattermost
CVE-2026-9162 Jun 22, 2026
Mattermost <10.11.17, 11.7.0 WS Auth Invalidation Flaw Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSocket connection to remain authenticated and continue receiving real-time events until the cached session expires or the client reconnects.. Mattermost Advisory ID: MMSA-2026-00664
Mattermost
CVE-2026-5139 Jun 22, 2026
Mattermost <=11.7.0/11.6.2/11.5.5/10.11.17 Auth Bypass on /gitlab connect Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.. Mattermost Advisory ID: MMSA-2026-00644
Mattermost
CVE-2026-8683 Jun 15, 2026
Mattermost Desktop App <=6.1 URL Overflow Crash via window.open Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost Advisory ID: MMSA-2026-00652
Mattermost
CVE-2026-6517 Jun 15, 2026
Mattermost Desktop App <=6.1 NTLM Credential Leakage via untrusted image domains Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651
Mattermost
CVE-2026-6961 Jun 12, 2026
Mattermost <=11.6.1/11.5.4 Path Traversal via FILEINFO.Name Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661
Mattermost
CVE-2026-7387 Jun 12, 2026
Mattermost <=11.6.1 Auth Bypass via scheme_admin flag -> Priv Escalation Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665
Mattermost
CVE-2026-6046 Jun 12, 2026
Mattermost Bot Registration Validation Bypass 10.11-11.6, Unprivileged Intercept Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649
Mattermost
CVE-2026-6689 Jun 12, 2026
Mattermost Team Creation Priv Escalation 10.11-11.6 Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655
Mattermost
CVE-2026-7184 Jun 12, 2026
Mattermost <=11.6.1 Remote Cluster API PATCH token leakage (CVE-2026-7184) Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662
Mattermost
CVE-2026-6739 Jun 12, 2026
Privilege Escalation in Mattermost <=11.6.1 via Role Patch API Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656
Mattermost
CVE-2026-3433 Jun 12, 2026
CVE-2026-3433: Mattermost 10.11.x-11.6 WebSocket role_updated Disclosure Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616
Mattermost
CVE-2026-6957 May 27, 2026
Mattermost 1.1.5 Arbitrary File Write via Unsanitized fn (CVE-2026-6957) Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore via a malicious filename delivered through the shared-channel attachment sync protocol. Mattermost Advisory ID: MMSA-2026-00659
Mattermost
CVE-2026-4915 May 25, 2026
Mattermost <=11.6.0, 11.5.3, 11.4.4, 10.11.14 DoS via Null Webhook Attachment Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry.. Mattermost Advisory ID: MMSA-2026-00641
Mattermost
CVE-2026-28735 May 22, 2026
Mattermost 10.11.x10.11.14 & 11.x11.6.0: OAuth Scope Bypass via GitHub URL Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628
Mattermost
CVE-2026-4635 May 22, 2026
Mattermost <= 11.6.0 Crash via Timing Delete Persistent Notification/Archive Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message between the server deleting existing persistent notifications and archiving the channel.. Mattermost Advisory ID: MMSA-2026-00637
Mattermost
CVE-2026-3473 May 22, 2026
Mattermost <11.6 Access Control Bypass via Boards API Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620
Mattermost
CVE-2026-4646 May 22, 2026
Mattermost API Input Validation flaw (v10.1111.6) causes plugin crash Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID: MMSA-2026-00638
Mattermost
CVE-2026-3636 May 22, 2026
Mattermost API Data Leak: Unsanitized Team Member Data in 10.11.x-11.6.x Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API endpoints.. Mattermost Advisory ID: MMSA-2026-00626
Mattermost
CVE-2026-5740 May 22, 2026
Mattermost <12 Allow Attacker Crashes Server via msgpack-WS Frame (CVE-2026-5740) Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647
Mattermost
CVE-2026-5308 May 22, 2026
Mattermost 10.11.0-11.6.0: Unchecked Body Size on Plugin Endpoints (DOS) Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
Mattermost
CVE-2026-5755 May 22, 2026
Mattermost <=11.6.0 TIFF IFD OOM DoS via Crafted TIFF Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a denial of service (server OOM) via uploading a crafted TIFF file or posting a URL that serves one.. Mattermost Advisory ID: MMSA-2026-00648
Mattermost
CVE-2026-22880 May 21, 2026
Mattermost Mobile App: SSO Callback Origin Validation Bypass (<=2.37, 11.x) Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO code exchange flow through the mobile application. Mattermost Advisory ID: MMSA-2025-00564
Mattermost
CVE-2026-4858 May 21, 2026
Mattermost 10.1111.6 Path Traversal in Integration Action URL (Auth User) Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640
Mattermost
CVE-2026-4055 May 21, 2026
Mattermost 11.5.x <= 11.5.1 Playbook Run Create Auth Bypass Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request. Mattermost Advisory ID: MMSA-2026-00629
Mattermost
CVE-2026-3471 May 18, 2026
Mattermost Desktop App <=6.1 URL Injection Crash via Popup Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618
Mattermost
CVE-2026-4643 May 18, 2026
Mattermost Desktop App <=6.1 Crash via window.close() in Renderer Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633
Mattermost
CVE-2026-6333 May 18, 2026
Mattermost Host Header Bypass in Slash Commands v10.11 <=13, v11.5 <=1 Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582
Mattermost
CVE-2026-6345 May 18, 2026
Mattermost 10.11.13/11.5.1 Password Disclosure via User Creation Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614
Mattermost
CVE-2026-6346 May 18, 2026
Mattermost 11.5.1 Sensitive Config Leak via Support Pack Generation Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607
Mattermost
CVE-2026-28732 May 18, 2026
Mattermost 11.5.1 Slash Command Hijack via Uniqueness Bypass Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597
Mattermost
CVE-2026-6343 May 18, 2026
Mattermost <= 11.5.1 Access Ctrl Bypass via Playbook Endpoint Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591
Mattermost
CVE-2026-6347 May 18, 2026
Unsanitized Call Config in Mattermost <11.6 Exposes TURN Credentials Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605
Mattermost
CVE-2026-5163 May 18, 2026
Mattermost <=11.5.1: AI Rewrite Bypasses Channel Membership (CVE-2026-5163) Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645
Mattermost
CVE-2026-3117 May 18, 2026
Mattermost Gitlab Plugin Permissions Bypass CVE-2026-3117 (10.13.11-11.5) Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600
Mattermost
CVE-2026-4286 May 18, 2026
Mattermost <=11.5.1 & 10.11.13 Playbook Team ID Bypass via PUT API Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552
Mattermost
CVE-2026-6339 May 18, 2026
Mattermost burnonread reveal endpoint XRequestedWith header flaw (v<11.5.1) Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636
Mattermost
CVE-2026-6340 May 18, 2026
7zip Upload Causing Memory Exhaustion in Mattermost 10.11.13, 11.4.3, 11.5.1 Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory ID: MMSA-2026-00573
Mattermost
CVE-2026-6341 May 18, 2026
API No-Check Group Access Bypass in Mattermost Plugins <=11.5 (CVE-2026-6341) Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602
Mattermost
CVE-2026-6342 May 18, 2026
Mattermost Plugins <=11.5 NS Flaw Allows Subscription to Unwhitelisted Groups Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601
Mattermost
CVE-2026-3495 May 18, 2026
Mattermost <11.5.1/10.11.13: XSS via unescaped config vars in error pages Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622
Mattermost
CVE-2026-4273 May 18, 2026
Mattermost 10-11.x Token Rotation Bypass via RefreshedToken Reuse Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575
Mattermost
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.