161 matches found
Improper Access Control
github.com/mattermost/mattermost-server is vulnerable to improper access control. The vulnerability is due to failure in enforcing the "Allow users to view archived channels" setting, which allows an attacker to access archived channel content and files via the "Open in Channel" functionality fro...
CVE-2024-39807
Mattermost versions 9.5.x = 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels...
CVE-2023-43754
Mattermost fails to check whether the “Allow users to view archived channels” setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels” setting is disabled...
Mattermost Server < 11.0.0 Multiple Vulnerabilities (MMSA-2024-00337, MMSA-2025-00493, MMSA-2025-00540)
The version of Mattermost Server installed on the remote host is affected by multiple vulnerabilities as referenced in the MMSA-2024-00337, MMSA-2025-00493, MMSA-2025-00540 advisory. - Mattermost versions 11 fail to properly restrict access to archived channel search API which allows guest users ...
CVE-2025-41436
Mattermost versions 11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads...
CVE-2025-11776
Mattermost versions 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the /api/v4/teams/teamid/channels/searcharchived endpoint...
Mattermost fails to properly restrict access to archived channel search API
Mattermost versions 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the /api/v4/teams/teamid/channels/searcharchived endpoint...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the /api/v4/teams/teamid/channels/searcharchived endpoint. An attacker can access information about archived public channels by sending crafted requests as a guest user. Remediation Upgrade...
Mattermost allows regular users to access archived channel content and files
Mattermost versions 11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the /api/v4/teams/teamid/channels/searcharchived endpoint. An attacker can access information about archived public channels by sending crafted requests as a guest user. Remediation Upgrade...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the /api/v4/teams/teamid/channels/searcharchived endpoint. An attacker can access information about archived public channels by sending crafted requests as a guest user. Remediation Upgrade...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the /api/v4/teams/teamid/channels/searcharchived endpoint. An attacker can access information about archived public channels by sending crafted requests as a guest user. Remediation Upgrade...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the /api/v4/teams/teamid/channels/searcharchived endpoint. An attacker can access information about archived public channels by sending crafted requests as a guest user. Remediation Upgrade...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the /api/v4/teams/teamid/channels/searcharchived endpoint. An attacker can access information about archived public channels by sending crafted requests as a guest user. Remediation Upgrade...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the /api/v4/teams/teamid/channels/searcharchived endpoint. An attacker can access information about archived public channels by sending crafted requests as a guest user. Remediation Upgrade...
GHSA-X3HX-CH7P-8XGG Mattermost allows regular users to access archived channel content and files
Mattermost versions 11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper enforcement of the Allow users to view archived channels setting in the threads interface. An attacker can gain unauthorized access to archived channel content and files by using the "Open in...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper enforcement of the Allow users to view archived channels setting in the threads interface. An attacker can gain unauthorized access to archived channel content and files by using the "Open in...
Incorrect Authorization
Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Incorrect Authorization due to improper enforcement of the Allow users to view archived channels setting in the threads interface. An attacker can...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper enforcement of the Allow users to view archived channels setting in the threads interface. An attacker can gain unauthorized access to archived channel content and files by using the "Open in...