Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by Mattermost:MattermostMattermost Confluence PluginMattermost DesktopMattermost BoardsMattermost PlaybooksMattermost App FrameworkFocalboardPlaybooks PluginMattermost Github PluginMattermost iOS appMattermost PluginsMattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2026-3590 Race Condition in Guest Magic Link Authentication Allows Token Reuse — MattermostCWE-367 6.5 Medium2026-04-15
CVE-2026-28741 CSRF Protection Bypass Allows Updating a User's Authentication Method — MattermostCWE-352 6.8 Medium2026-04-15
CVE-2026-27769 Connected Workspaces: Malicious remote server can manipulate arbitrary user's status — MattermostCWE-862 2.7 Low2026-04-15
CVE-2026-24661 Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint — MattermostCWE-770 3.7 Low2026-04-09
CVE-2026-21388 Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint — MattermostCWE-770 3.7 Low2026-04-09
CVE-2026-3524 Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check — MattermostCWE-862 8.3 High2026-04-06
CVE-2026-28736 Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix) — FocalboardCWE-639 4.3 Medium2026-04-03
CVE-2026-25773 Focalboard Second-Order SQL Injection in category reorder endpoint allows data exfiltration (unsupported product, no fix) — FocalboardCWE-89 8.1 High2026-04-03
CVE-2026-3112 Arbitrary File Read via Advanced Logging Support Packet — MattermostCWE-22 6.8 Medium2026-03-26
CVE-2026-3109 Missing timestamp validation in Zoom webhook handler — MattermostCWE-754 2.2 Low2026-03-26
CVE-2026-3115 Guest users can view group member IDs without respecting view restrictions — MattermostCWE-863 4.3 Medium2026-03-26
CVE-2026-3114 Zip Bomb Denial of Service via Unrestricted Archive Decompression — MattermostCWE-409 6.5 Medium2026-03-26
CVE-2026-3116 Improper Input Validation in Zoom Plugin Webhook Handler — MattermostCWE-400 4.9 Medium2026-03-26
CVE-2026-3113 mmctl export download command doesn’t restrict permissions to created file to file owner — MattermostCWE-732 5.0 Medium2026-03-26
CVE-2026-3108 Terminal Escape Injection in mmctl Report Posts Command — MattermostCWE-150 8.0 High2026-03-26
CVE-2026-4274 Insufficient authorization in shared channel membership sync grants team-level access instead of channel-level access — MattermostCWE-863 5.4 Medium2026-03-26
CVE-2026-27659 CSRF vulnerability in UpdateAccessControlPolicyActiveStatus endpoint — MattermostCWE-352 4.6 Medium2026-03-25
CVE-2026-20719 DoS via URL Previews Rendering Malicious SVGs — MattermostCWE-754 4.3 Medium2026-03-25
CVE-2026-27656 Account Takeover via Substring Matching in OpenID Connect Authentication — MattermostCWE-303 5.7 Medium2026-03-25
CVE-2026-26233 Denial of Service via HTTP/2 single packet attack on login endpoint — MattermostCWE-400 4.3 Medium2026-03-25
CVE-2026-1629 Permalink Preview Information Disclosure After Permission Revocation — MattermostCWE-672 4.3 Medium2026-03-16
CVE-2026-26230 Team Admin Privilege Escalation to Demote Members to Guest — MattermostCWE-863 3.8 Low2026-03-16
CVE-2026-2454 DoS in Calls plugin via malformed msgpack in websocket request. — MattermostCWE-1287 5.8 Medium2026-03-16
CVE-2026-26304 Permission Bypass in Playbook Run Creation — MattermostCWE-863 4.3 Medium2026-03-16
CVE-2026-24692 Guest users can bypass read permissions via search API — MattermostCWE-863 4.3 Medium2026-03-16
CVE-2026-22545 Password Change Bypass via Auth Switch Endpoint — MattermostCWE-863 3.1 Low2026-03-16
CVE-2026-2455 SSRF bypass via IPv4-mapped IPv6 literals — MattermostCWE-918 4.3 Medium2026-03-16
CVE-2026-21386 Private channel enumeration via /mute slash command — MattermostCWE-203 4.3 Medium2026-03-16
CVE-2026-25780 Memory Exhaustion via Malformed DOC File Upload — MattermostCWE-789 4.3 Medium2026-03-16
CVE-2026-4265 Guest user can upload files without permission across teams — MattermostCWE-863 4.3 Medium2026-03-16

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.