An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.
Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.
An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.
An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels.
Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.
Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID
A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.
Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information about whether someone has 2FA enabled.
An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.
An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.
An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local logging is not blocked for sensitive information (e.g., server addresses or message content).
Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails.
Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.
Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.
An issue was discovered in Mattermost Mobile Apps before 1.26.0. A view cache can persist on a device after a logout.
An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage.
An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.
An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.
An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.
An issue was discovered in Mattermost Mobile Apps before 1.29.0. The iOS app allowed Single Sign-On cookies and Local Storage to remain after a logout, aka MMSA-2020-0013.
An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka MMSA-2020-0004.
An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022.
An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.
An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information (local files) during legacy attachment migration.
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration files.
An issue was discovered in Mattermost Mobile Apps before 1.26.0. Cookie data can persist on a device after a logout.
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during a role change.
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.
Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.
An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input.
An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials.
Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link.
Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server
Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.
One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents.
Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive & private information disclosure.
Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command.
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605
Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization.
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).