CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1792 – Improper Access Control in Mattermost Channel Member API
https://notcve.org/view.php?id=CVE-2025-1792
30 May 2025 — Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-3913 – Team Privacy Settings Authorization Bypass in Mattermost Server
https://notcve.org/view.php?id=CVE-2025-3913
29 May 2025 — Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 3.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-2570 – System Admin Cannot Access Environment settings in System Console While System Manager Can
https://notcve.org/view.php?id=CVE-2025-2570
15 May 2025 — Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console. These are all security issues fixed in the govulncheck-vulndb-0.0.20250523T151856-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-2527 – Improper access control to group information
https://notcve.org/view.php?id=CVE-2025-2527
15 May 2025 — Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request. These are all security issues fixed in the govulncheck-vulndb-0.0.20250523T151856-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-3446 – Members Without Guest Invite Permissions Can Add Guests to Teams
https://notcve.org/view.php?id=CVE-2025-3446
15 May 2025 — Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team. These are all security issues fixed in the govulncheck-vulndb-0.0.20250523T151856-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-31947 – Repeated LDAP login failures can lock an LDAP account
https://notcve.org/view.php?id=CVE-2025-31947
15 May 2025 — Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Mattermost. These are all security issues fixed in the govulncheck-vulndb-0.0.20250523T151856-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-645: Overly Restrictive Account Lockout Mechanism •
CVSS: 3.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-41423 – Unauthorized Playbooks Post Deletion in Mattermost Playbooks Plugin
https://notcve.org/view.php?id=CVE-2025-41423
24 Apr 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions. Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywo... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-35965 – DoS in Mattermost Playbooks via Excessive Task Actions
https://notcve.org/view.php?id=CVE-2025-35965
24 Apr 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition. These are all security issues fixed in the govulncheck-vulndb-0.0.20250424T181457-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-41395 – Webapp DoS via malicious retrospective post in Playbooks
https://notcve.org/view.php?id=CVE-2025-41395
24 Apr 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of service (DoS) of the web app for all users. Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks... • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2564 – Unauthorized View Access to Archived Channel Member Info
https://notcve.org/view.php?id=CVE-2025-2564
16 Apr 2025 — Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled. These are all security issues fixed in the govulncheck-vulndb-0.0.20250422T181640-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •