GO-2025-3772 Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server

Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server...

Mattermost has Insufficiently Protected Credentials

Mattermost versions 10.5.x = 10.5.7, 9.11.x = 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API...

Mattermost Missing Authentication for Critical Function

Mattermost versions 10.5.x = 10.5.6, 10.8.x = 10.8.1, 10.7.x = 10.7.3, 9.11.x = 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of...

MAL-2025-5183 Malicious code in mattermost-hardware-keyboard (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7ecd12acfdee0d8c320c06fc7fdbeefd8c0847f90dc3df7bdee5938cc744dcc4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GO-2025-3757 Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server

Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server...

GHSA-JWHW-XF5V-QGXC Mattermost allows guest users to view information about public teams they are not members of

Mattermost versions 10.5.x = 10.5.4, 9.11.x = 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/teamid...

CVE-2025-4128

Mattermost versions 10.5.x = 10.5.4, 9.11.x = 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/teamid...

GO-2025-3724 Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server

Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server...

GHSA-8CGX-9CCJ-3GWR Mattermost fails to clear Google OAuth credentials

Mattermost versions 10.7.x = 10.7.0, 10.6.x = 10.6.2, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow...

PT-2025-23309 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.7.x through 10.7.0 Mattermost versions 10.5.x through 10.5.3 Mattermost versions 9.11.x through 9.11.12 Description: The issue is related to the failure of Mattermost to properly enforce access control restrictions for...

Mattermost Fails to Verify User's Permissions When Accessing Groups

Mattermost versions 10.5.x = 10.5.2, 9.11.x = 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request...

GHSA-QGWX-RFFP-6CX9 Mattermost Fails to Lockout LDAP Users After Repeated Login Failures

Mattermost versions 10.6.x = 10.6.1, 10.5.x = 10.5.2, 10.4.x = 10.4.4, 9.11.x = 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Mattermost...

PT-2025-17702 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.11.x through 9.11.10 Mattermost versions 10.4.x through 10.4.2 Mattermost versions 10.5.x through 10.5.0 Description: The issue arises from the failure to properly validate the props used by the RetrospectivePost custom...

GHSA-WWHJ-PW6H-F8HW Mattermost Incorrect Authorization vulnerability

Mattermost versions 10.5.x = 10.5.1, 9.11.x = 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation...

Mattermost Fails to Restrict Certain Operations on System Admins

Mattermost versions 10.5.x = 10.5.1, 10.4.x = 10.4.3, 9.11.x = 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system...

Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint

Mattermost versions 9.11.x = 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs...

BIT-MATTERMOST-2025-27715

Mattermost versions 9.11.x = 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them...

GO-2025-3549 Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server

Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server...

GO-2025-3556 Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server

Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server...

GHSA-3GPX-P63P-PR5R Mattermost Fails to Enforce Certain Search APIs

Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries...