Mattermost server

This hub aggregates every CVE we track for Mattermost server, a product in the communications space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Mattermost server.

• CVE-2026-6961CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync7.6Jun 12, 2026
• CVE-2026-7387Mattermost group syncable endpoints allow privilege escalation via scheme_admin8.8Jun 12, 2026
• CVE-2026-6046Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server5.3Jun 12, 2026
• CVE-2026-6689*Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*4.3Jun 12, 2026
• CVE-2026-7184Mattermost Remote Cluster PATCH API Leaks Authentication Tokens6.5Jun 12, 2026
• CVE-2026-6739Mattermost: Delegated admins could patch protected default system roles6.7Jun 12, 2026
• CVE-2026-3433Mattermost fails to scope role_updated websocket events to authorized team and channel members4.3Jun 12, 2026
• CVE-2026-4915Server panic via outgoing webhook responses6.5May 25, 2026
• CVE-2026-4858Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token.8.0May 21, 2026
• CVE-2026-4055Insufficient permission validation on cross-team playbook run creation4.3May 21, 2026
• CVE-2026-6333SSRF via Host Header Spoofing in Custom Slash Commands3.5May 18, 2026
• CVE-2026-6345Prevent password disclosure and force reset during Slack import6.5May 18, 2026
• CVE-2026-6346Sensitive credentials exposed in plaintext in Mattermost support packets8.7May 18, 2026
• CVE-2026-28732Slash command trigger-word update allowed command hijacking4.3May 18, 2026
• CVE-2026-6343Mattermost Playbooks Plugin fails to enforce view permissions in list endpoints, allowing unauthorized access to public playbooks4.3May 18, 2026