Mattermost: >> Mattermost Server >> 9.7.5 Security Vulnerabilities
Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
CVSS Score
3.1
EPSS Score
0.0
Published
2025-11-14
Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events
CVSS Score
6.5
EPSS Score
0.001
Published
2025-11-14
Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
CVSS Score
4.3
EPSS Score
0.0
Published
2025-11-14
Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.
CVSS Score
5.3
EPSS Score
0.002
Published
2025-04-16
Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.
CVSS Score
4.6
EPSS Score
0.001
Published
2024-12-05
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels
CVSS Score
5.5
EPSS Score
0.001
Published
2024-08-01
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only.
CVSS Score
4.1
EPSS Score
0.001
Published
2024-08-01
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.
CVSS Score
4.3
EPSS Score
0.002
Published
2024-08-01