CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2564 – Unauthorized View Access to Archived Channel Member Info
https://notcve.org/view.php?id=CVE-2025-2564
16 Apr 2025 — Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 3.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-31363 – Data exfiltration via AI plugin Jira tool
https://notcve.org/view.php?id=CVE-2025-31363
16 Apr 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool. Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitr... • https://mattermost.com/security-updates • CWE-1426: Improper Validation of Generative AI Output •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-27571 – Channel metadata visible in archived channels despite configuration setting
https://notcve.org/view.php?id=CVE-2025-27571
16 Apr 2025 — Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 2.2EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27538 – MFA Enforcement Bypass Allows Unauthorized Removal of MFA for Other Users
https://notcve.org/view.php?id=CVE-2025-27538
16 Apr 2025 — Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA. • https://mattermost.com/security-updates • CWE-306: Missing Authentication for Critical Function •
CVSS: 3.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24839 – Unauthorized AI bot activation via Wrangler plugin
https://notcve.org/view.php?id=CVE-2025-24839
16 Apr 2025 — Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2475 – Unauthorized Bot Login Using Credentials
https://notcve.org/view.php?id=CVE-2025-2475
14 Apr 2025 — Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials. • https://mattermost.com/security-updates • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-2424 – Leaked Metadata of Deleted Files via Bookmark Creation
https://notcve.org/view.php?id=CVE-2025-2424
14 Apr 2025 — Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32093 – Syatem admin profile modification by delegated granular administration role
https://notcve.org/view.php?id=CVE-2025-32093
14 Apr 2025 — Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-25068 – Bypassing MFA Enforcement on Plugin Endpoints
https://notcve.org/view.php?id=CVE-2025-25068
21 Mar 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes. • https://mattermost.com/security-updates • CWE-306: Missing Authentication for Critical Function •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-24920 – Unauthorized Bookmark Creation and Modification in Archived Channels
https://notcve.org/view.php?id=CVE-2025-24920
21 Mar 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •