github.com/mattermost/mattermost-server/v6 known bugs

Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal.

Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.

Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127144908-ced9a56e3988.

Mattermost fails to validate team-specific upload_file permissions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260107144005-c7f6efdfb035.

Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260129133647-5d787969c2d5.

Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260107142155-0481bd1fb045.

Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260130144323-5bb5261c72fa.

Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260105134819-cc427af41b2a.

Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127062706-c6b205f0d770.

Mattermost fails to bound memory allocation when processing DOC files in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260123215601-86797c508c44.

Mattermost allows attackers to spoof permalink embeds in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260123211116-9efe617be8b8.

Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260129164748-7201f42d955f.

Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260113182106-a18b80ba4c32.

Mattermost fails to bound memory allocation when processing PSD image files in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260115183946-38b413a27604.

Mattermost fails to limit the size of responses from integration action endpoints in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127165411-fe3052073dc6.

Mattermost fails to properly validate User-Agent header tokens in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260129181235-1346cf529aef.

Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251210191531-cd17b61de41b.

Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251215190648-6404ab29acc0.

Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251209134645-761e56bb11cc.

Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251212052346-61651b0df7ea.

Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-plugin-jira before v4.4.1.

Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20251121122154-b57c297c6d7.

Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20251121122154-b57c297c6d7.

Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost

Mattermost has missing redirect URL validation in github.com/mattermost/mattermost. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost before v10.11.5-0.20251016131338-dad6bd7a1509.

Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost before v10.11.7-0.20251106103514-3b05384dd014; github.com/mattermost/mattermost-server before v10.11.7-0.20251106103514-3b05384dd014.

Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost

Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.3.

Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.3.

Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.4.

Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250905150616-ba86dfc5876b6.

Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server

Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server

Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server

Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server

Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/v5 before v5.3.2-0.20250815165020-c8d66301415d; github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20250815165020-c8d66301415d.

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost

Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server

Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250815100400-2d5cdc6e217e.

Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250822083415-01b95392a450.

Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards

Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server

Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-202508080704-39bd251fe4f600.

Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server

Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server

Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250729073403-517ae758cd02.

Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.

Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.

Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server

Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server

Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server

Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.

Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server

Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server

Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250619095651-9dd0b3943e55.

Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server

Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server

Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server

Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server

Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server

Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server

Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server

Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server

Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server

Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server

Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server

Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server

Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server

Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server

Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server

Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server

Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-plugin-msteams before v2.1.0.

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server

Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server

Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server

Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server

Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server

Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server

Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server

Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server

Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server

Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server

Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server

Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server

Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server

Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server

Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server

Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server

Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server

Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server

Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server

Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server from v9.11.0 before v9.11.16.

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v9.11.16.

Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server

Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server

Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server

Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server

Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server

Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server

Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server

Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server

Mattermost incorrectly issues two sessions when using desktop SSO in github.com/mattermost/mattermost-server

Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server

Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server

Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server

Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server

Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server

Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server

Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server

Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server

Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server

Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server

Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server

Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server

Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server

Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server

Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server

Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server

Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server

Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server

Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.11.

Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server

Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost race condition in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.

Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.

Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v7.8.10; github.com/mattermost/mattermost/server/v8 before v8.1.1.

Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.

Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.

Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.

Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server

Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server

Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server

Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server

Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server

Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to cause a panic and crash the Calls plugin

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.

Mattermost fails to properly verify the permissions needed for viewing archived public channels,  allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams/<team-id>/channels/deleted endpoint.

Mattermost fails to properly sanitize the request to `/api/v4/redirect_location` allowing an attacker, sending a specially crafted request to `/api/v4/redirect_location`, to fill up the memory due to caching large items.

Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. 

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.

One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents. Per the Mattermost security updates page, versions 6.4.2, 6.3.5, 6.2.5, and 5.37.9 contain patches for this issue

Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.

Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was disabled. 

Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest being able to view, join, edit, export and archive public playbooks.

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.

Mattermost fails to check whether the "Allow users to view archived channels" setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the "Allow users to view archived channels" setting is disabled. 

Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed integrations to override the username and profile picture when posting, a member could also override the username and icon when making a post even if the Hardened Mode setting was enabled

Mattermost versions < 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint

Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb).

Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager

Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files.

Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string. 

Mattermost fails to sanitize post metadata during audit logging, resulting in permalinks' contents being logged.

Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of

When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00137

When running in a High Availability configuration, Mattermost fails to sanitize some of the `user_updated` and` post_deleted` events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00138

Mattermost fails to perform proper authorization in the `/plugins/focalboard/api/v2/users` endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards.

Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.

Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.

Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00139

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.

Mattermost fails to properly check a redirect URL parameter allowing for an open redirect was possible when the user clicked "Back to Mattermost" after providing a invalid custom url scheme in /oauth/{service}/mobile_login?redirect_to=

Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.

Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log.

Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users.

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.

Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.

Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.

Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though.

Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.

Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.