Mattermost server Vulnerabilities
Security vulnerability tracking for Mattermost Mattermost server
7
0
5
0
Vulnerability Timeline
7 vulnerabilities discovered over time for Mattermost server
Severity Distribution
| Description | Vendor / Product | Exploit Status | |||
|---|---|---|---|---|---|
| CVE-2025-14573 | 2.7 | This vulnerability allows team administrators to improperly add users to their team through API requests, even if they don't have the necessary permissions. It affects specific versions of Mattermost and requires the attacker to have administrative access to the team settings. | mattermostmattermost server | Exploit Available | about 2 months agoFeb 16, 2026 |
| CVE-2025-14350 | 4.3 | This vulnerability allows an attacker who is already logged into Mattermost to find out the names and URLs of teams they shouldn't have access to by posting links in channels and checking the system's responses. It affects specific versions of Mattermost and highlights a failure to properly check if a user is part of a team before revealing its information. | mattermostmattermost server | Exploit Available | about 2 months agoFeb 16, 2026 |
| CVE-2025-13821 | 5.7 | This vulnerability allows an attacker to steal sensitive information, like password hashes and multi-factor authentication secrets, from other users by manipulating their profile nickname or during email verification events. The attacker must already be logged in as an authenticated user on the affected versions of Mattermost to exploit this weakness. | mattermostmattermost server | Exploit Available | about 2 months agoFeb 16, 2026 |
| CVE-2026-0999 | 4.3 | This vulnerability allows an attacker who is already logged in to bypass single sign-on (SSO) requirements and use a userID-based login instead. It affects specific versions of Mattermost, meaning only users on those versions are at risk. | mattermostmattermost server | Exploit Available | about 2 months agoFeb 16, 2026 |
| CVE-2026-0998 | 4.3 | This vulnerability allows an attacker to start Zoom meetings as any user and change posts in Mattermost by tricking the system into thinking they are someone else. It affects specific versions of Mattermost and requires the attacker to have access to the API, meaning they need to be able to send requests to the server. | mattermostmattermost server | Exploit Available | about 2 months agoFeb 16, 2026 |
| CVE-2026-0997 | 4.3 | This vulnerability allows any logged-in user to change Zoom meeting settings for any channel in Mattermost by sending specially crafted requests. It affects specific versions of Mattermost and the Zoom plugin, meaning that if you're using those versions, an attacker could exploit this flaw without needing special access. | mattermostmattermost server | Theoretical | about 2 months agoFeb 16, 2026 |
| CVE-2026-22892 | 4.3 | An attacker who has access to the Jira plugin in Mattermost can exploit a flaw to read messages and attachments from private channels they shouldn't have access to by using the ID of a specific post. This vulnerability affects certain versions of Mattermost and requires the attacker to be authenticated in the system. | mattermostmattermost server | Theoretical | about 2 months agoFeb 13, 2026 |
About Mattermost Mattermost server Security
This page provides comprehensive security vulnerability tracking for Mattermost Mattermost server. Our database includes all CVEs affecting this product, updated in real-time from official sources.
Each vulnerability listing includes detailed CVSS severity analysis, exploit availability status, AI-generated explanations, and direct links to official security patches and vendor advisories.
Security Recommendations
- • Always keep Mattermost server updated to the latest version
- • Subscribe to security advisories from Mattermost
- • Monitor this page for new vulnerabilities affecting your version
- • Prioritize patching critical and high severity issues immediately