50 matches found
GHSA-XVCX-MGPC-5XH3 Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint
Mattermost versions 11.5.x = 11.5.1, 11.4.x = 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost...
EUVD-2026-30749
Mattermost versions 11.5.x = 11.5.1, 11.4.x = 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost...
CVE-2026-45385 Open WebUI: An IDOR vulnerability exists in the update_message_by_id API endpoint
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members including administrators within the same...
Improper Authorization
github.com/mattermost/mattermost-server is vulnerable to improper authorization. The vulnerability is due to insufficient validation of team membership permissions in the Add Channel Member API, which allows an attacker to exploit the API endpoint to access user metadata and channel membership...
Discourse Information Disclosure Vulnerability (CNVD-2026-17255)
Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from an information disclosure vulnerability that stems from the possibility of inferring the identity of a channel...
Discourse 信息泄露漏洞
Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from an information disclosure vulnerability that stems from the possibility of inferring the identity of a channel...
CVE-2025-1792
Mattermost versions 10.7.x = 10.7.0, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint...
SUSE CVE-2025-11777
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint...
SUSE CVE-2025-55074
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
CVE-2025-55074
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
GO-2025-4133 Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server
Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is...
Mattermost Server 10.5.x < 10.5.12 / 10.11.x 10.11.4 / 11.0.0 Missing Authorization (MMSA-2025-00518)
The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2025-00518 advisory. - Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows...
EUVD-2025-198045
Mattermost allows other users to determine when users had read channels via channel member objects...
GHSA-9HH7-6558-QFP2 Mattermost allows other users to determine when users had read channels via channel member objects
Mattermost versions 10.11.x = 10.11.3, and 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
Mattermost allows other users to determine when users had read channels via channel member objects
Mattermost versions 10.11.x = 10.11.3, and 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
CVE-2025-55074 Channel member objects leak read status
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
CVE-2025-55074
Mattermost server (versions 10.11.x <= 10.11.3 and 10.5.x
PT-2025-47329
Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.11 Mattermost versions 10.11.x through 10.11.3 Description The Mattermost application does not properly enforce access permissions within the Agents plugin. This allows other users to determine when user...
CVE-2025-11777
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to properly validating team membership permissions in the Add Channel Member API. An attacker can obtain unauthorized access to user metadata and channel membership information from other teams by sending...