github.com/mattermost/mattermost-server/v5 known bugs

Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127144908-ced9a56e3988.

Mattermost fails to validate team-specific upload_file permissions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260107144005-c7f6efdfb035.

Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260129133647-5d787969c2d5.

Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260107142155-0481bd1fb045.

Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260130144323-5bb5261c72fa.

Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260105134819-cc427af41b2a.

Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127062706-c6b205f0d770.

Mattermost fails to bound memory allocation when processing DOC files in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260123215601-86797c508c44.

Mattermost allows attackers to spoof permalink embeds in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260123211116-9efe617be8b8.

Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260129164748-7201f42d955f.

Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260113182106-a18b80ba4c32.

Mattermost fails to bound memory allocation when processing PSD image files in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260115183946-38b413a27604.

Mattermost fails to limit the size of responses from integration action endpoints in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127165411-fe3052073dc6.

Mattermost fails to properly validate User-Agent header tokens in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260129181235-1346cf529aef.

Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251210191531-cd17b61de41b.

Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251215190648-6404ab29acc0.

Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251209134645-761e56bb11cc.

Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251212052346-61651b0df7ea.

Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-plugin-jira before v4.4.1.

Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20251121122154-b57c297c6d7.

Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20251121122154-b57c297c6d7.

Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost

Mattermost has missing redirect URL validation in github.com/mattermost/mattermost. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost before v10.11.5-0.20251016131338-dad6bd7a1509.

Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost before v10.11.7-0.20251106103514-3b05384dd014; github.com/mattermost/mattermost-server before v10.11.7-0.20251106103514-3b05384dd014.

Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost

Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.3.

Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.3.

Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.4.

Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server

Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250905150616-ba86dfc5876b6.

Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server

Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server

Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server

Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server

Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/v5 before v5.3.2-0.20250815165020-c8d66301415d; github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20250815165020-c8d66301415d.

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost

Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server

Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250815100400-2d5cdc6e217e.

Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250822083415-01b95392a450.

Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards

Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server

Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-202508080704-39bd251fe4f600.

Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server

Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server

Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250729073403-517ae758cd02.

Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.

Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.

Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server

Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server

Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server

Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.

Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server

Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server

Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250619095651-9dd0b3943e55.

Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server

Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server

Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server

Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server

Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server

Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server

Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server

Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server

Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server

Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server

Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server

Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server

Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server

Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server

Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server

Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server

Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-plugin-msteams before v2.1.0.

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server

Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server

Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server

Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server

Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server

Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server

Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server

Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server

Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server

Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server

Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server

Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server

Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server

Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server

Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server

Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server

Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server

Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server

Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server from v9.11.0 before v9.11.16.

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v9.11.16.

Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server

Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server

Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server

Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server

Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server

Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server

Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server

Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server

Mattermost incorrectly issues two sessions when using desktop SSO in github.com/mattermost/mattermost-server

Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server

Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server

Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server

Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server

Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server

Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server

Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server

Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server

Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server

Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server

Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server

Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server

Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server

Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server

Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server

Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server

Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server

Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server

Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.11.

Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server

Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost race condition in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.

Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.

Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v7.8.10; github.com/mattermost/mattermost/server/v8 before v8.1.1.

Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.

Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.

Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.

Mattermost Server Sensitive Data Exposure in github.com/mattermost/mattermost

Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server

Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server

Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server

Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server

Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server

Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.

Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. 

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.

One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents. Per the Mattermost security updates page, versions 6.4.2, 6.3.5, 6.2.5, and 5.37.9 contain patches for this issue

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.

Mattermost versions < 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint

An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the `update_team` WebSocket event, aka MMSA-2020-0012.

Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP.

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00137

When running in a High Availability configuration, Mattermost fails to sanitize some of the `user_updated` and` post_deleted` events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00138

Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00139

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.

Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.