CVSS: 3.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24839 – Unauthorized AI bot activation via Wrangler plugin
https://notcve.org/view.php?id=CVE-2025-24839
16 Apr 2025 — Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled. These are all security issues fixed in the govulncheck-vulndb-0.0.20250422T181640-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2475 – Unauthorized Bot Login Using Credentials
https://notcve.org/view.php?id=CVE-2025-2475
14 Apr 2025 — Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials. These are all security issues fixed in the govulncheck-vulndb-0.0.20250422T181640-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-2424 – Leaked Metadata of Deleted Files via Bookmark Creation
https://notcve.org/view.php?id=CVE-2025-2424
14 Apr 2025 — Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation. These are all security issues fixed in the govulncheck-vulndb-0.0.20250422T181640-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32093 – Syatem admin profile modification by delegated granular administration role
https://notcve.org/view.php?id=CVE-2025-32093
14 Apr 2025 — Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation. These are all security issues fixed in the govulncheck-vulndb-0.0.20250422T181640-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 2.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30516 – Unauthorized Notification Exposure in Mobile App Under Specific Conditions
https://notcve.org/view.php?id=CVE-2025-30516
14 Apr 2025 — Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications • https://mattermost.com/security-updates • CWE-613: Insufficient Session Expiration •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24866 – Unauthorized Access to User Activity Logs API by delegated granular administration roles
https://notcve.org/view.php?id=CVE-2025-24866
10 Apr 2025 — Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs. These are all security issues fixed in the govulncheck-vulndb-0.0.20250422T181640-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1558 – Denial of Service Via Malicious GIF
https://notcve.org/view.php?id=CVE-2025-1558
24 Mar 2025 — Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1398 – macOS TCC Bypass via Code Injection
https://notcve.org/view.php?id=CVE-2025-1398
17 Mar 2025 — Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection. • https://mattermost.com/security-updates • CWE-426: Untrusted Search Path •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1472 – Unauthorized View Access to Site Statistics and Team Statistics
https://notcve.org/view.php?id=CVE-2025-1472
28 Feb 2025 — Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics. These are all security issues fixed in the govulncheck-vulndb-0.0.20250327T184518-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27715 – Auto-Enrollment of Team Admins into Private Channels without explicit consent
https://notcve.org/view.php?id=CVE-2025-27715
28 Feb 2025 — Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them. These are all security issues fixed in the govulncheck-vulndb-0.0.20250327T184518-1.1 package on the GA media of openSUSE Tumbleweed. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •