Mattermost
This hub aggregates every CVE we track for Mattermost, a product in the devtools ci space. Use it to gauge the current risk picture and drill into individual advisories.
414
CVEs tracked
7
Critical
33
High
0
In CISA KEV
Severity distribution
MEDIUM261LOW113HIGH33CRITICAL7
Monthly trend
21
9
5
4
5
12
6
9
14
9
7
3
9
6
8
11
12
2
9
34
6
36
18
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Mattermost.
- CVE-2026-4339SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server6.5
- CVE-2026-9699Mattermost Agents plugin logs unsanitized OpenAI API keys on authentication errors6.8
- CVE-2026-3472Markdown image rendering bypass in AI bot tool result posts in Mattermost3.5
- CVE-2026-8823User Manager can demote bot accounts to guest without bot-management permission3.8
- CVE-2026-6062IDOR in Jira plugin subscription edit endpoint6.4
- CVE-2026-6673Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install6.4
- CVE-2026-8074Improper Permission Check Allows User Manager to Deactivate Bot Accounts3.8
- CVE-2026-9162Global session revocation does not invalidate active WebSocket connections4.3
- CVE-2026-5139GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration5.4
- CVE-2026-8683Overly long URLs crash the Mattermost Desktop App6.5
- CVE-2026-6517Mattermost Desktop App fails to restrict the allow list of domains which NTLM credentials are passed6.3
- CVE-2026-6961CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync7.6
- CVE-2026-7387Mattermost group syncable endpoints allow privilege escalation via scheme_admin8.8
- CVE-2026-6046Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server5.3
- CVE-2026-6689*Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*4.3
Product normalization is registry-driven with AI assist and human review. How it works