CVE-2025-27571

Mattermost versions 10.5.x = 10.5.1, 10.4.x = 10.4.3, 9.11.x = 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived...

BIT-MATTERMOST-2025-25068

Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes...

Mattermost has Improper Check for Unusual or Exceptional Conditions

Mattermost versions 10.x = 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting...

CVE-2025-22449

Mattermost Server 9.11.x ≤ 9.11.5 suffers an improper access-control flaw where team admins lacking invite permission can add users by toggling the allow_open_invite flag when a team is made public. Root cause: failure to enforce invite permissions. Affected feature/file: invite mechanism via all...