Mattermost Vulnerabilities
Comprehensive security vulnerability database for Mattermost products
7
0
6
0
Severity Distribution
| Description | Vendor / Product | Exploit Status | |||
|---|---|---|---|---|---|
| CVE-2026-1628 | 4.6 | This vulnerability allows an attacker to trick users into opening malicious links within the Mattermost desktop app, potentially exposing sensitive information or enabling harmful actions on untrusted servers. It affects versions up to 5.13.3 and requires the user to click on an external link while using the app. | mattermostmattermost desktop | Exploit Available | about 1 month agoMar 2, 2026 |
| CVE-2025-14350 | 4.3 | This vulnerability allows an attacker who is already logged into Mattermost to find out the names and URLs of teams they shouldn't have access to by posting links in channels and checking the system's responses. It affects specific versions of Mattermost and highlights a failure to properly check if a user is part of a team before revealing its information. | mattermostmattermost server | Exploit Available | about 2 months agoFeb 16, 2026 |
| CVE-2025-13821 | 5.7 | This vulnerability allows an attacker to steal sensitive information, like password hashes and multi-factor authentication secrets, from other users by manipulating their profile nickname or during email verification events. The attacker must already be logged in as an authenticated user on the affected versions of Mattermost to exploit this weakness. | mattermostmattermost server | Exploit Available | about 2 months agoFeb 16, 2026 |
| CVE-2026-0999 | 4.3 | This vulnerability allows an attacker who is already logged in to bypass single sign-on (SSO) requirements and use a userID-based login instead. It affects specific versions of Mattermost, meaning only users on those versions are at risk. | mattermostmattermost server | Exploit Available | about 2 months agoFeb 16, 2026 |
| CVE-2026-0998 | 4.3 | This vulnerability allows an attacker to start Zoom meetings as any user and change posts in Mattermost by tricking the system into thinking they are someone else. It affects specific versions of Mattermost and requires the attacker to have access to the API, meaning they need to be able to send requests to the server. | mattermostmattermost server | Exploit Available | about 2 months agoFeb 16, 2026 |
| CVE-2026-0997 | 4.3 | This vulnerability allows any logged-in user to change Zoom meeting settings for any channel in Mattermost by sending specially crafted requests. It affects specific versions of Mattermost and the Zoom plugin, meaning that if you're using those versions, an attacker could exploit this flaw without needing special access. | mattermostmattermost server | Theoretical | about 2 months agoFeb 16, 2026 |
| CVE-2026-22892 | 4.3 | An attacker who has access to the Jira plugin in Mattermost can exploit a flaw to read messages and attachments from private channels they shouldn't have access to by using the ID of a specific post. This vulnerability affects certain versions of Mattermost and requires the attacker to be authenticated in the system. | mattermostmattermost server | Theoretical | about 2 months agoFeb 13, 2026 |
About Mattermost Security
This page tracks all publicly disclosed security vulnerabilities (CVEs) affecting Mattermost products. Our database is updated in real-time from the National Vulnerability Database (NVD) and enriched with exploit information from GitHub and other security research sources.
Each CVE listing includes CVSS severity scores, exploit availability status, AI-powered vulnerability summaries, and links to official patches and security advisories.