mattermost

Top products

The 15 most recently published vulnerabilities affecting mattermost.

• CVE-2026-8823User Manager can demote bot accounts to guest without bot-management permission3.8Jun 22, 2026
• CVE-2026-6062IDOR in Jira plugin subscription edit endpoint6.4Jun 22, 2026
• CVE-2026-6673Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install6.4Jun 22, 2026
• CVE-2026-8074Improper Permission Check Allows User Manager to Deactivate Bot Accounts3.8Jun 22, 2026
• CVE-2026-9162Global session revocation does not invalidate active WebSocket connections4.3Jun 22, 2026
• CVE-2026-5139GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration5.4Jun 22, 2026
• CVE-2026-8683Overly long URLs crash the Mattermost Desktop App6.5Jun 15, 2026
• CVE-2026-6517Mattermost Desktop App fails to restrict the allow list of domains which NTLM credentials are passed6.3Jun 15, 2026
• CVE-2026-6961CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync7.6Jun 12, 2026
• CVE-2026-7387Mattermost group syncable endpoints allow privilege escalation via scheme_admin8.8Jun 12, 2026
• CVE-2026-6046Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server5.3Jun 12, 2026
• CVE-2026-6689*Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*4.3Jun 12, 2026
• CVE-2026-7184Mattermost Remote Cluster PATCH API Leaks Authentication Tokens6.5Jun 12, 2026
• CVE-2026-6739Mattermost: Delegated admins could patch protected default system roles6.7Jun 12, 2026
• CVE-2026-3433Mattermost fails to scope role_updated websocket events to authorized team and channel members4.3Jun 12, 2026