MatterMost
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in MatterMost.
By the Year
In 2026 there have been 46 vulnerabilities in MatterMost with an average score of 4.9 out of ten. Last year, in 2025 Mattermost had 90 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Mattermost in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.19
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 46 | 4.93 |
| 2025 | 90 | 5.12 |
| 2024 | 82 | 5.18 |
| 2023 | 76 | 5.62 |
| 2022 | 12 | 6.03 |
| 2021 | 3 | 6.57 |
It may take a day or so for new Mattermost vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent MatterMost Security Vulnerabilities
Path Traversal in Advanced Logging (before 11.4.0, 11.3.1, 11.2.3, 10.11.11)
CVE-2026-3112
6.8 - Medium
- March 26, 2026
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in support packet generation. Mattermost Advisory ID: MMSA-2025-00562
Directory traversal
Replayable timestamp bypass in Mattermost Plugins <=11.4 corrupts Zoom meetings
CVE-2026-3109
2.2 - Low
- March 26, 2026
Mattermost Plugins versions <=11.4 10.11.11.0 fail to validate webhook request timestamps which allows an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests. Mattermost Advisory ID: MMSA-2026-00584
Improper Check for Unusual or Exceptional Conditions
Guest ID Enumeration via Group Retrieval in Mattermost <11.4
CVE-2026-3115
4.3 - Medium
- March 26, 2026
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594
AuthZ
DOS via Zip Bomb Extraction, Mattermost <=11.4.0/11.3.1/10.11.11
CVE-2026-3114
6.5 - Medium
- March 26, 2026
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly compressed entries (zip bombs) that exhaust server memory.. Mattermost Advisory ID: MMSA-2026-00598
Data Amplification
Mattermost Plugins <=11.4 Request Size Validation Bypass in Webhook Endpoint
CVE-2026-3116
4.9 - Medium
- March 26, 2026
Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589
Resource Exhaustion
Mattermost 11.4.0 Bulk Export LFR Local Users Read Exported Data
CVE-2026-3113
5 - Medium
- March 26, 2026
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export.. Mattermost Advisory ID: MMSA-2026-00593
Incorrect Permission Assignment for Critical Resource
Mattermost <11.5 mmctl Terminal Escape Sequences Vulnerability (CVE-2026-3108)
CVE-2026-3108
8 - High
- March 26, 2026
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599
Improper Neutralization of Escape, Meta, or Control Sequences
Mattermost 11.4 & 11.2.2 Membership Sync Remote Cluster Bypass
CVE-2026-4274
5.4 - Medium
- March 26, 2026
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574
AuthZ
CSRF Bypass in Mattermost 10.x-11.x Enables Admin Policy Switch
CVE-2026-27659
4.6 - Medium
- March 25, 2026
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request.. Mattermost Advisory ID: MMSA-2026-00578
Session Riding
Mattermost 10-11.4 External SVG Crash (Unauthenticated)
CVE-2026-20719
4.3 - Medium
- March 25, 2026
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitHub.. Mattermost Advisory ID: MMSA-2026-00595
Improper Check for Unusual or Exceptional Conditions
Mattermost 11.4.0, 11.3.1, 11.2.3, 10.11.11 OpenID IsSameUser SubstrMatch PrivEsc
CVE-2026-27656
5.7 - Medium
- March 25, 2026
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow.. Mattermost Advisory ID: MMSA-2026-00590
Incorrect Implementation of Authentication Algorithm
DDoS via Login RateLimit Bypass in Mattermost 10.1111.4 (CVE202626233)
CVE-2026-26233
4.3 - Medium
- March 25, 2026
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566
Resource Exhaustion
Mattermost <=10.11.10 Cached Permalink Preview Persistence
CVE-2026-1629
4.3 - Medium
- March 16, 2026
Mattermost versions 10.11.x <= 10.11.10 Fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache reset or relogin.. Mattermost Advisory ID: MMSA-2026-00580
Operation on a Resource after Expiration or Release
Mattermost 10.11.x <=10.11.10 Permission Validation Flaw in Roles API
CVE-2026-26230
3.8 - Low
- March 16, 2026
Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531
AuthZ
Mattermost <=11.3.0, 11.2.2, 10.11.10 OOM via corrupted msgpack WS frames
CVE-2026-2454
5.8 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: MMSA-2025-00537
Improper Validation of Specified Type of Input
Mattermost <=11.3.0/<=11.2.2 run_create Perm Bypass Unauthorized Playbook Run
CVE-2026-26304
4.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542
AuthZ
Mattermost <v11.3.0: Search API Read Permission Bypass (CVE-2026-24692)
CVE-2026-24692
4.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554
AuthZ
Auth Method Switch Flaw Enables Password Change in Mattermost <=10.11.10
CVE-2026-22545
3.1 - Low
- March 16, 2026
Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID: MMSA-2026-00583
AuthZ
Mattermost SSRF before v11.3.0 via IPv4-mapped IPv6
CVE-2026-2455
4.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1]).. Mattermost Advisory ID: MMSA-2026-00585
SSRF
Mattermost 11.3.0, 11.2.2, 10.11.10: /mute ErrResp Enables Private Disclosure
CVE-2026-21386
4.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588
Side Channel Attack
Memory Allocation Bug in Mattermost DOC Parsing (10.11.10, 11.2.2, 11.3.0)
CVE-2026-25780
4.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Mattermost Advisory ID: MMSA-2026-00581
Stack Exhaustion
Mattermost <11.3.0/11.2.2/10.11.10: Guest upload_file bypass via metadata reuse
CVE-2026-4265
4.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553
AuthZ
Mattermost <=11.3.0: Invalid User-Agent Header Causes Panic
CVE-2026-25783
4.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586
Improper Validation of Specified Type of Input
Mattermost 10-11.3.x Auth, Big Password DoS
CVE-2026-24458
7.5 - High
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587
Allocation of Resources Without Limits or Throttling
Mattermost <=11.3.0 RCE via plugin install on CI test with default admin creds
CVE-2026-2462
6.6 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528
AuthZ
Mattermost 11.3.x WebSocket Leak Exposes BurnonRead Posts
CVE-2026-2578
4.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579
Insertion of Sensitive Information Into Sent Data
Memory Exhaustion in Mattermost PSD Handler (v<11.3.0)
CVE-2026-26246
4.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00572
Stack Exhaustion
Mattermost <=11.3.0, 11.2.2, 10.11.10: Channel Search Enum
CVE-2026-2458
4.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID: MMSA-2025-00568
AuthZ
Mattermost 11.3.0/11.2.2/10.11.10: Authenticated Metadata Sanitize Bypass
CVE-2026-2457
4.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisory ID: MMSA-2025-00569
Origin Validation Error
Mattermost Plugins <=11.3 Auth Checks Missing on Comment Mods
CVE-2026-2461
4.3 - Medium
- March 16, 2026
Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559
Insecure Direct Object Reference / IDOR
ACL Bypass via Invite ID in Mattermost 10.11.10 & lower
CVE-2026-2463
4.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565
AuthZ
Mattermost Plugins <=2.0.3.0: Sensitive Config Not Masked on Export
CVE-2026-2476
7.6 - High
- March 16, 2026
Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606
Information Disclosure
Mattermost <=11.3.0 Denial via Unbounded Integration Response
CVE-2026-2456
5.3 - Medium
- March 16, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an arbitrarily large response when a user clicks an interactive message button.. Mattermost Advisory ID: MMSA-2026-00571
Stack Exhaustion
Mattermost Desktop App <=5.13.3: External Navigation Leak Exposes Preload Scripts
CVE-2026-1628
4.6 - Medium
- March 02, 2026
Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server. Mattermost Advisory ID: MMSA-2026-00596
Inclusion of Functionality from Untrusted Control Sphere
Mattermost <=10.11.9 Bypass Invite Permissions via API
CVE-2025-14573
3.8 - Low
- February 16, 2026
Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561
AuthZ
Mattermost Desktop App <=6.0 Help Link RCE CVE-2026-1046 via Malicious Server
CVE-2026-1046
7.6 - High
- February 16, 2026
Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a users system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577
Improper Authorization in Handler for Custom URL Scheme
Mattermost <11.2.1 Channel Mention Member Validation Flaw (CVE-2025-14350)
CVE-2025-14350
4.3 - Medium
- February 16, 2026
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563
AuthZ
Mattermost 10.11/11.1/11.2 WS Sensitive Data Leak (hash/mfa)
CVE-2025-13821
5.7 - Medium
- February 16, 2026
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560
Information Disclosure
Mattermost Zoom Plugin: Auth Bypass Allows Channel Preference Change (11.2.1)
CVE-2026-0997
4.3 - Medium
- February 16, 2026
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558
AuthZ
Unauthorized API Use in Mattermost 10.11-11.2 and Zoom Plugin <=1.11.0
CVE-2026-0998
4.3 - Medium
- February 16, 2026
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534
AuthZ
Mattermost: Login Method Bypass via UID in v10.11.x-11.2.1 (SSO Bypass)
CVE-2026-0999
5.4 - Medium
- February 16, 2026
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548
Incorrect Implementation of Authentication Algorithm
Mattermost 10.11.x <= 10.11.9 Channel Membership Leak via /common_teams
CVE-2026-20796
3.1 - Low
- February 13, 2026
Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549
TOCTTOU
Mattermost Jira Plugin Authenticated Read via /create-issue v11.2.1,10.11.9
CVE-2026-22892
4.3 - Medium
- February 13, 2026
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550
AuthZ
Mattermost Confluence plugin <1.7.0 XSS via unsanitized user display name
CVE-2025-13523
7.7 - High
- February 06, 2026
Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557
XSS
Mattermost Web Client <=10.11.8, <=11.0.6, <=11.1.1: Infinite Re-render DoS
CVE-2025-14435
6.8 - Medium
- January 16, 2026
Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.
Allocation of Resources Without Limits or Throttling
Mattermost 10.11.x <=10.11.8: HASHTAG Size Check Flaw Exposes CPU Exhaustion
CVE-2025-14822
3.1 - Low
- January 16, 2026
Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens
Inefficient Algorithmic Complexity
Mattermost <=11.1.x issue exfil via /share-issue-publicly Jira POST
CVE-2025-64641
4.1 - Medium
- December 24, 2025
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts
AuthZ
Mattermost <=11.1 Vulnerable Jira Plugin Allows Unauthorized Channel Read
CVE-2025-13767
4.3 - Medium
- December 24, 2025
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.
AuthZ
Unauth Auth via Mattermost Jira Plug <=4.4.0
CVE-2025-14273
7.2 - High
- December 22, 2025
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555
Incorrect Implementation of Authentication Algorithm
Mattermost <6.0.0 HR Disabled on MacAppStore TCC Inherit Attack
CVE-2025-13326
3.9 - Low
- December 17, 2025
Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder.
Protection Mechanism Failure
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for MatterMost or by MatterMost? Click the Watch button to subscribe.
