PatchSiren

Mattermost CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Mattermost CVE published 2026-06-26

CVE-2026-4339

CVE-2026-4339 is a medium-severity vulnerability affecting Mattermost Server versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, and 11.5.x <= 11.5.6. The vulnerability is caused by a failure to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server. This allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SS [truncated]

LOW Mattermost CVE published 2026-06-26

CVE-2026-3472

CVE-2026-3472 is a low-severity vulnerability in Mattermost Server versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, and 11.5.x <= 11.5.6. The vulnerability occurs because the application fails to properly apply markdown image rendering restrictions to AI bot tool result posts. This allows an authenticated attacker to inject markdown image syntax into tool result content rendered by a victim's client, poten [truncated]

MEDIUM Mattermost CVE published 2026-06-22

CVE-2026-9162

CVE-2026-9162 is a medium-severity vulnerability affecting Mattermost Server versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17. The issue arises from the failure to invalidate cached authentication state for active WebSocket connections during global session revocation. This allows a user with an existing WebSocket connection to remain authenticated and continue receiv [truncated]

MEDIUM Mattermost CVE published 2026-06-15

CVE-2026-8683

CVE-2026-8683 is a medium-severity vulnerability in Mattermost Desktop App versions <=6.1 5.5.13.0. The vulnerability occurs when the application attempts to open extremely long URLs, which can be exploited by a malicious server owner to crash the application. This is achieved by including a script that calls window.open on a very large URL. The vulnerability has a CVSS score of 6.5 and is classified as CWE-770.

MEDIUM Mattermost CVE published 2026-06-15

CVE-2026-6517

CVE-2026-6517 is a medium-severity vulnerability in the Mattermost Desktop App. Versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded. This allows any user on a server without the image proxy enabled to intercept other users' credentials via embedding an image that routes to an external web server. The vulnerability has a CVSS score of 6.3 and was publ [truncated]

HIGH Mattermost CVE published 2026-06-12

CVE-2026-7387

CVE-2026-7387 is a high-severity vulnerability in Mattermost that allows for authorization bypass. The vulnerability affects Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16. An attacker with group-link permissions can escalate themselves and group members to team or channel admin via crafted API requests. The vulnerability has a CVSS score of 8.8 and is [truncated]

MEDIUM Mattermost CVE published 2026-06-12

CVE-2026-7184

CVE-2026-7184 is a medium-severity vulnerability in Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, and 10.11.x <= 10.11.15. The issue allows an attacker with the manage_secure_connections permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint due to a failure to sanitize the Remote Cluster API response on PATCH operations.

HIGH Mattermost CVE published 2026-06-12

CVE-2026-6961

CVE-2026-6961 is a HIGH severity vulnerability with a CVSS score of 7.6. Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16 are affected. The vulnerability is caused by Mattermost's failure to sanitize FileInfo.Name received from federated peers during shared channel file sync. This allows an attacker controlling a federated server to write files to arbitr [truncated]

MEDIUM Mattermost CVE published 2026-06-12

CVE-2026-6739

CVE-2026-6739 is a medium-severity vulnerability in Mattermost that affects versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16. The vulnerability allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API. This is due to the failure of the system to require system-level per [truncated]

MEDIUM Mattermost CVE published 2026-06-12

CVE-2026-6689

CVE-2026-6689 is a medium-severity vulnerability affecting Mattermost, a popular communication platform. The vulnerability has a CVSS score of 4.3 and was published on 2026-06-12. It allows an authenticated user with PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings, making the team publicly joinable or constraining membership via allowed domains.

MEDIUM Mattermost CVE published 2026-06-12

CVE-2026-6046

CVE-2026-6046 is a medium-severity vulnerability in Mattermost, a popular communication platform. The issue arises from the platform's failure to validate that a username returned during bot registration belongs to a bot account. This oversight allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plug [truncated]

MEDIUM Mattermost CVE published 2026-06-12

CVE-2026-3433

CVE-2026-3433 is a vulnerability in Mattermost, a self-hosted, open-source, and customizable platform for team communication. The vulnerability has a CVSS score of 4.3 and a severity of MEDIUM. It was published on 2026-06-12T17:16:22.467Z and has not been modified since its publication.

HIGH Mattermost CVE published 2026-05-27

CVE-2026-6957

A path traversal vulnerability in Mattermost Plugins versions 1.1.5 and earlier allows remote administrators of federated Mattermost servers to write files to arbitrary locations within a target server's filestore. The vulnerability exists because filenames received from federated peers are not sanitized before being used to construct export destination paths during shared-channel attachment synchronizati [truncated]

MEDIUM Mattermost CVE published 2026-05-25

CVE-2026-4915

## Summary Mattermost versions 11.6.x through 11.6.0, 11.5.x through 11.5.3, 11.4.x through 11.4.4, and 10.11.x through 10.11.14 contain a denial-of-service vulnerability in outgoing webhook processing. An authenticated attacker can trigger server process termination by sending a crafted webhook callback response containing a null attachment entry. The root cause is improper filtering of nil elements in w [truncated]

HIGH Mattermost CVE published 2026-05-21

CVE-2026-4858

CVE-2026-4858 is a Mattermost path traversal issue in integration action URL handling. According to the published description, a malicious authenticated user can bypass URL checks and use path traversal to call arbitrary APIs with the system admin Mattermost auth token. The issue is tracked by Mattermost as advisory MMSA-2026-00640 and is rated CVSS 8.0 (HIGH).

MEDIUM Mattermost CVE published 2026-05-21

CVE-2026-22880

CVE-2026-22880 describes an SSO callback origin validation weakness in Mattermost Mobile Apps. According to the NVD entry and Mattermost reference, a malicious Mattermost server can abuse the mobile app’s SSO flow to relay the authentication exchange and capture credentials or tokens intended for a legitimate server. The issue is publicly disclosed with CWE-352 context and a CVSS 3.1 score of 6.1 (medium).

MEDIUM Mattermost CVE published 2026-05-21

CVE-2026-4055

CVE-2026-4055 is a team-scoped authorization flaw in Mattermost playbook run creation. According to the NVD summary, versions 11.5.x through 11.5.1 fail to validate the target team’s run_create permission when a playbook run is created, which can let an authenticated team member create runs in a team where they do not have permission by specifying a different team ID in the API request. The issue is rated [truncated]

HIGH Mattermost CVE published 2026-05-18

CVE-2026-6347

CVE-2026-6347 is a high-severity information disclosure issue in the Mattermost Calls plugin. In affected Mattermost releases, sensitive configuration fields are not properly sanitized when a support packet is generated, which can leave TURN server credentials in plaintext inside the exported plugin configuration. Anyone with access to that support packet could recover the credentials. The CVE was publish [truncated]

HIGH Mattermost CVE published 2026-05-18

CVE-2026-6346

Mattermost fixed a credential-exposure issue in support packet generation that affected specific 10.11.x, 11.4.x, and 11.5.x releases. On vulnerable versions, sensitive configuration fields were not sanitized before a support packet was created, so a System Admin or anyone with access to the packet could retrieve plaintext credentials from the downloaded file. NVD rates the issue as high severity (CVSS 8. [truncated]

MEDIUM Mattermost CVE published 2026-05-18

CVE-2026-6345

CVE-2026-6345 describes a Mattermost Server issue where created user passwords were not adequately protected from disclosure. According to the vendor and NVD, a malicious attacker with sufficient privileges could use exposed passwords to impersonate a user. The issue is rated medium severity with high confidentiality and integrity impact.

MEDIUM Mattermost CVE published 2026-05-18

CVE-2026-6343

CVE-2026-6343 is a Mattermost authorization issue published on 2026-05-18. According to the vendor/NVD record, certain Mattermost Server versions fail to correctly enforce public/private permissions, which can allow users without those permissions to access public playbooks through the /get endpoint. NVD rates the issue CVSS 3.1 4.3 (Medium), with low-privilege, network-reachable access and a confidential [truncated]

MEDIUM Mattermost CVE published 2026-05-18

CVE-2026-6339

CVE-2026-6339 is a Mattermost vulnerability published on 2026-05-18 that can let an authenticated channel member force the reveal of a burn-on-read message without recipient consent. The issue affects Mattermost Server 11.4.0 through 11.4.3 and 11.5.0 through 11.5.1, with vendor and NVD records identifying it as a low-severity, network-reachable issue with limited availability impact.

LOW Mattermost CVE published 2026-05-18

CVE-2026-4286

CVE-2026-4286 is a low-severity Mattermost authorization issue affecting playbook updates. According to the vendor and NVD data, users with only Manage Playbook Configurations permission could change a playbook’s team through the update API because the application did not verify whether {{team_id}} was being changed. That bypassed the intended manage members restriction for team changes. The affected rang [truncated]

MEDIUM Mattermost CVE published 2026-05-18

CVE-2026-3471

CVE-2026-3471 is a medium-severity denial-of-service issue in the Mattermost Desktop App. According to the CVE description, the app fails to block an invalid URL from loading inside a pop-up window, which can let a malicious server owner repeatedly crash the application by invoking window.open('javascript:alert()');. The issue was publicly disclosed on 2026-05-18 and is associated with Mattermost advisory [truncated]

MEDIUM Mattermost CVE published 2026-05-18

CVE-2026-3117

A missing authorization check in the Mattermost GitLab plugin allows authenticated users to perform administrative actions. The vulnerability exists in the plugin's command handlers for `gitlab instance` and `/gitlab webhook` commands, which fail to verify that the invoking user has appropriate permissions before executing instance uninstallation or webhook configuration operations. This represents a clas [truncated]

MEDIUM Mattermost CVE published 2026-05-18

CVE-2026-6342

CVE-2026-6342 is a low-complexity authorization flaw in Mattermost Plugins that can let a plugin user create subscriptions to groups they were not supposed to access. The issue stems from insufficient validation of namespaces: if a user can create a group whose name shares a prefix with a whitelisted group, the plugin may treat it as valid. Mattermost’s advisory and the NVD record both tie this to a permi [truncated]

MEDIUM Mattermost CVE published 2026-05-18

CVE-2026-6341

A missing authorization check in Mattermost Plugins allows authenticated users with membership in multiple groups to bypass group-level restrictions when creating issues or attaching comments via direct API requests. The vulnerability stems from insufficient API-level validation of group permissions, enabling users to interact with locked groups they should not access. This affects Mattermost Plugins vers [truncated]

MEDIUM Mattermost CVE published 2026-05-18

CVE-2026-6340

CVE-2026-6340 is a denial-of-service issue in Mattermost’s handling of 7zip archives. According to the provided description, affected versions fail to validate 7zip archive structure before processing, allowing an authenticated attacker to upload a specially crafted archive with excessive folder declarations and trigger server memory exhaustion. The result is loss of availability rather than direct data e [truncated]

LOW Mattermost CVE published 2026-05-18

CVE-2026-6334

CVE-2026-6334 is a low-severity OAuth authorization flaw reported for Mattermost. According to the CVE description and NVD record, affected versions fail to enforce client identity binding during authorization code redemption, which can allow one authenticated OAuth client to redeem an authorization code issued to a different client. The issue was published on 2026-05-18 and the only cited vendor referenc [truncated]

LOW Mattermost CVE published 2026-05-18

CVE-2026-4273

A vulnerability in Mattermost Server versions 11.5.x through 11.5.1 and 10.11.x through 10.11.13 allows an authenticated attacker to bypass token rotation during remote cluster invite confirmation. The root cause is a missing validation check that the RefreshedToken differs from the original invite token. By sending a crafted invite confirmation with a RefreshedToken matching the original token, an attack [truncated]

MEDIUM Mattermost CVE published 2026-05-18

CVE-2026-3637

Mattermost Server versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 contain an authorization bypass vulnerability. The application fails to validate the `create_post` channel permission when processing post edit operations. An authenticated attacker whose posting privileges have been revoked can continue to modify their existing posts by sending direct API requests to the [truncated]

LOW Mattermost CVE published 2026-05-18

CVE-2026-3495

Mattermost Server versions 11.5.x through 11.5.1 and 10.11.x through 10.11.13 contain a stored cross-site scripting (XSS) vulnerability in error page composition. The application fails to properly escape variables that may contain malicious content when rendering error pages. An attacker with administrative privileges to edit site configuration can inject JavaScript payloads into these variables, which ex [truncated]

MEDIUM Mattermost CVE published 2026-05-18

CVE-2026-28759

CVE-2026-28759 is a Mattermost server authorization flaw in shared channel membership synchronization. A malicious remote cluster can send crafted membership sync messages and remove users from channels it is not allowed to access, including private channels. NVD rates the issue CVSS 4.3 (MEDIUM).

MEDIUM Mattermost CVE published 2026-03-26

CVE-2026-3116

CVE-2026-3116 is a vulnerability in Mattermost Plugins versions <=11.4, 11.0.4, 11.1.3, 11.3.2, 10.11.11.0. The vulnerability fails to validate incoming request size, allowing an authenticated attacker to cause service disruption via the webhook endpoint. The vulnerability has a CVSS score of 4.9 and a severity of MEDIUM.

LOW Mattermost CVE published 2026-03-26

CVE-2026-3109

CVE-2026-3109 is a low-severity vulnerability in Mattermost Plugins versions <=11.4 10.11.11.0. The vulnerability allows an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests due to a failure to validate webhook request timestamps. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 2.2, indicating a low severity.