MatterMost MatterMost

  1. Vendors
  2. MatterMost

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any MatterMost product.

RSS Feeds for MatterMost security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in MatterMost products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by MatterMost Sorted by Most Security Vulnerabilities since 2018

MatterMost351 vulnerabilities

Mattermost Server117 vulnerabilities

Mattermost Desktop12 vulnerabilities

Mattermost Mobile10 vulnerabilities

Mattermost Boards2 vulnerabilities

MatterMost Playbooks2 vulnerabilities

MatterMost Focalboard1 vulnerability

By the Year

In 2026 there have been 90 vulnerabilities in MatterMost with an average score of 5.1 out of ten. Last year, in 2025 MatterMost had 93 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in MatterMost in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.03




Year Vulnerabilities Average Score
2026 90 5.09
2025 93 5.12
2024 95 5.21
2023 84 5.67
2022 25 6.24
2021 5 6.16
2020 1 0.00

It may take a day or so for new MatterMost vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent MatterMost Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-6957 May 27, 2026
Mattermost 1.1.5 Arbitrary File Write via Unsanitized fn (CVE-2026-6957) Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore via a malicious filename delivered through the shared-channel attachment sync protocol. Mattermost Advisory ID: MMSA-2026-00659
Mattermost
CVE-2026-4915 May 25, 2026
Mattermost <=11.6.0, 11.5.3, 11.4.4, 10.11.14 DoS via Null Webhook Attachment Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry.. Mattermost Advisory ID: MMSA-2026-00641
Mattermost
CVE-2026-28735 May 22, 2026
Mattermost 10.11.x10.11.14 & 11.x11.6.0: OAuth Scope Bypass via GitHub URL Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628
Mattermost
CVE-2026-4635 May 22, 2026
Mattermost <= 11.6.0 Crash via Timing Delete Persistent Notification/Archive Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message between the server deleting existing persistent notifications and archiving the channel.. Mattermost Advisory ID: MMSA-2026-00637
Mattermost
CVE-2026-3473 May 22, 2026
Mattermost <11.6 Access Control Bypass via Boards API Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620
Mattermost
CVE-2026-4646 May 22, 2026
Mattermost API Input Validation flaw (v10.1111.6) causes plugin crash Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID: MMSA-2026-00638
Mattermost
CVE-2026-3636 May 22, 2026
Mattermost API Data Leak: Unsanitized Team Member Data in 10.11.x-11.6.x Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API endpoints.. Mattermost Advisory ID: MMSA-2026-00626
Mattermost
CVE-2026-5740 May 22, 2026
Mattermost <12 Allow Attacker Crashes Server via msgpack-WS Frame (CVE-2026-5740) Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647
Mattermost
CVE-2026-5308 May 22, 2026
Mattermost 10.11.0-11.6.0: Unchecked Body Size on Plugin Endpoints (DOS) Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
Mattermost
CVE-2026-5755 May 22, 2026
Mattermost <=11.6.0 TIFF IFD OOM DoS via Crafted TIFF Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a denial of service (server OOM) via uploading a crafted TIFF file or posting a URL that serves one.. Mattermost Advisory ID: MMSA-2026-00648
Mattermost
CVE-2026-22880 May 21, 2026
Mattermost Mobile App: SSO Callback Origin Validation Bypass (<=2.37, 11.x) Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO code exchange flow through the mobile application. Mattermost Advisory ID: MMSA-2025-00564
Mattermost
CVE-2026-4858 May 21, 2026
Mattermost 10.1111.6 Path Traversal in Integration Action URL (Auth User) Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640
Mattermost
CVE-2026-4055 May 21, 2026
Mattermost 11.5.x <= 11.5.1 Playbook Run Create Auth Bypass Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request. Mattermost Advisory ID: MMSA-2026-00629
Mattermost
CVE-2026-3471 May 18, 2026
Mattermost Desktop App <=6.1 URL Injection Crash via Popup Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618
Mattermost
CVE-2026-4643 May 18, 2026
Mattermost Desktop App <=6.1 Crash via window.close() in Renderer Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633
Mattermost
CVE-2026-6333 May 18, 2026
Mattermost Host Header Bypass in Slash Commands v10.11 <=13, v11.5 <=1 Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582
Mattermost
CVE-2026-6345 May 18, 2026
Mattermost 10.11.13/11.5.1 Password Disclosure via User Creation Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614
Mattermost
CVE-2026-6346 May 18, 2026
Mattermost 11.5.1 Sensitive Config Leak via Support Pack Generation Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607
Mattermost
CVE-2026-28732 May 18, 2026
Mattermost 11.5.1 Slash Command Hijack via Uniqueness Bypass Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597
Mattermost
CVE-2026-6343 May 18, 2026
Mattermost <= 11.5.1 Access Ctrl Bypass via Playbook Endpoint Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591
Mattermost
CVE-2026-6347 May 18, 2026
Unsanitized Call Config in Mattermost <11.6 Exposes TURN Credentials Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605
Mattermost
CVE-2026-5163 May 18, 2026
Mattermost <=11.5.1: AI Rewrite Bypasses Channel Membership (CVE-2026-5163) Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645
Mattermost
CVE-2026-3117 May 18, 2026
Mattermost Gitlab Plugin Permissions Bypass CVE-2026-3117 (10.13.11-11.5) Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600
Mattermost
CVE-2026-4286 May 18, 2026
Mattermost <=11.5.1 & 10.11.13 Playbook Team ID Bypass via PUT API Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552
Mattermost
CVE-2026-6339 May 18, 2026
Mattermost burnonread reveal endpoint XRequestedWith header flaw (v<11.5.1) Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636
Mattermost
CVE-2026-6340 May 18, 2026
7zip Upload Causing Memory Exhaustion in Mattermost 10.11.13, 11.4.3, 11.5.1 Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory ID: MMSA-2026-00573
Mattermost
CVE-2026-6341 May 18, 2026
API No-Check Group Access Bypass in Mattermost Plugins <=11.5 (CVE-2026-6341) Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602
Mattermost
CVE-2026-6342 May 18, 2026
Mattermost Plugins <=11.5 NS Flaw Allows Subscription to Unwhitelisted Groups Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601
Mattermost
CVE-2026-3495 May 18, 2026
Mattermost <11.5.1/10.11.13: XSS via unescaped config vars in error pages Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622
Mattermost
CVE-2026-4273 May 18, 2026
Mattermost 10-11.x Token Rotation Bypass via RefreshedToken Reuse Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575
Mattermost
CVE-2026-3637 May 18, 2026
Mattermost v10.11.13 & v11.5.1: Authenticated Post Edit Spoofing Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627
Mattermost
CVE-2026-2325 May 18, 2026
Mattermost 10.11.x-11.5.1 DoS via Oversized /api/v1/meetings POST Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/api/v1/meetings}}.. Mattermost Advisory ID: MMSA-2026-00608
Mattermost
CVE-2026-28759 May 18, 2026
Mattermost 11.5.x & 10.11.x Remote Cluster Membership Sync Bypass (CVE-2026-28759) Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576
Mattermost
CVE-2026-6334 May 18, 2026
Mattermost OAuth Code Redemption Identity Bypass in 10.11.13 & 11.5.1 Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermost Advisory ID: MMSA-2026-00570
Mattermost
CVE-2026-4053 May 15, 2026
Mattermost 11.5.1 / 10.11.13: Edit-Window Bypass via Post API Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints.. Mattermost Advisory ID: MMSA-2026-00631
Mattermost
CVE-2026-4054 May 15, 2026
Mattermost 10.11-11.5 Response Validation Flaw Enables Client DoS with SVG Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header (e.g. image/png) embedded in an og:image meta tag or Markdown image link.. Mattermost Advisory ID: MMSA-2026-00630
Mattermost
CVE-2026-3590 Apr 15, 2026
Mattermost <=11.5 Auth: Double-Use Guest Magic Links (CVE-2026-3590) Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624
Mattermost
CVE-2026-28741 Apr 15, 2026
Mattermost CSRF token validation failure (10.11.x-10.11.12,11.x) allows auth method change Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625
Mattermost
CVE-2026-27769 Apr 15, 2026
Mattermost <10.11.12 Connected Workspace API Unauthorized Status Change Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Mattermost Advisory ID: MMSA-2026-00603
Mattermost
CVE-2026-24661 Apr 09, 2026
Memory Exhaustion via Oversized Payload in Mattermost Plugins <=2.1.3.0 Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611
Mattermost
CVE-2026-21388 Apr 09, 2026
Mattermost Plugins <=2.3.1 DOS via Unrestricted /lifecycle Webhook Body Size Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610
Mattermost
CVE-2026-3524 Apr 06, 2026
Mattermost Plugin Legal Hold <=1.1.4 Auth Bypass in ServeHTTP Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID: MMSA-2026-00621
Mattermost
CVE-2026-28736 Apr 03, 2026
Focalboard 8.0 Auth File Read via File Ownership Bypass ** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
CVE-2026-25773 Apr 03, 2026
Focalboard 8.0 SQLi via Category ID (CVE-2026-25773) ** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
CVE-2026-3112 Mar 26, 2026
Path Traversal in Advanced Logging (before 11.4.0, 11.3.1, 11.2.3, 10.11.11) Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in support packet generation. Mattermost Advisory ID: MMSA-2025-00562
Mattermost
CVE-2026-3109 Mar 26, 2026
Replayable timestamp bypass in Mattermost Plugins <=11.4 corrupts Zoom meetings Mattermost Plugins versions <=11.4 10.11.11.0 fail to validate webhook request timestamps which allows an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests. Mattermost Advisory ID: MMSA-2026-00584
Mattermost
CVE-2026-3115 Mar 26, 2026
Guest ID Enumeration via Group Retrieval in Mattermost <11.4 Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594
Mattermost
CVE-2026-3114 Mar 26, 2026
DOS via Zip Bomb Extraction, Mattermost <=11.4.0/11.3.1/10.11.11 Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly compressed entries (zip bombs) that exhaust server memory.. Mattermost Advisory ID: MMSA-2026-00598
Mattermost
CVE-2026-3116 Mar 26, 2026
Mattermost Plugins <=11.4 Request Size Validation Bypass in Webhook Endpoint Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589
Mattermost
CVE-2026-3113 Mar 26, 2026
Mattermost 11.4.0 Bulk Export LFR Local Users Read Exported Data Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export.. Mattermost Advisory ID: MMSA-2026-00593
Mattermost
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.