CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-47871 – Mattermost Playbooks exposes private channel metadata to unauthorized users via run metadata API
https://notcve.org/view.php?id=CVE-2025-47871
30 Jun 2025 — Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-46702 – Mattermost Playbooks allows privilege escalation through improper access control in playbook run participant management
https://notcve.org/view.php?id=CVE-2025-46702
30 Jun 2025 — Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized acces... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-3228 – Unauthorized Guest user access to Playbook
https://notcve.org/view.php?id=CVE-2025-3228
20 Jun 2025 — Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-3227 – Unauthorized channel member management through playbook runs
https://notcve.org/view.php?id=CVE-2025-3227
20 Jun 2025 — Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 9.9EPSS: 0%CPEs: 5EXPL: 0CVE-2025-4981 – Path Traversal Leading to RCE by Any Authenticated Mattermost User
https://notcve.org/view.php?id=CVE-2025-4981
20 Jun 2025 — Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and File... • https://mattermost.com/security-updates • CWE-427: Uncontrolled Search Path Element •
CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-4128 – Mattermost Guest User Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2025-4128
11 Jun 2025 — Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}. Las versiones de Mattermost 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 no restringen adecuadamente el acceso de la API a la información del equipo, lo que permite que los usuarios invitados omitan los permisos y vean información sobre equipos... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-4573 – LDAP Injection in Mattermost Enterprise Edition When Using Active Directory
https://notcve.org/view.php?id=CVE-2025-4573
11 Jun 2025 — Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute. Las versiones de Mattermost 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 no l... • https://mattermost.com/security-updates • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •
CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3611 – Improper Access Control in Mattermost allows System Managers to view team details despite role restrictions
https://notcve.org/view.php?id=CVE-2025-3611
30 May 2025 — Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-3230 – Bypass of System Admin User Deactivation Controls for Personal Access Tokens in Mattermost Server
https://notcve.org/view.php?id=CVE-2025-3230
30 May 2025 — Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens. • https://mattermost.com/security-updates • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 4.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2571 – Google OAuth Authentication Bypass for Converted Bot Accounts
https://notcve.org/view.php?id=CVE-2025-2571
30 May 2025 — Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow. • https://mattermost.com/security-updates • CWE-303: Incorrect Implementation of Authentication Algorithm •