CVE-2026-27656
- EPSS 0.18%
- Veröffentlicht 25.03.2026 16:28:29
- Zuletzt bearbeitet 26.03.2026 18:51:38
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via a...
CVE-2026-26233
- EPSS 0.31%
- Veröffentlicht 25.03.2026 16:24:47
- Zuletzt bearbeitet 26.03.2026 18:52:31
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single pack...
CVE-2026-1629
- EPSS 0.2%
- Veröffentlicht 16.03.2026 20:24:05
- Zuletzt bearbeitet 18.03.2026 13:56:22
Mattermost versions 10.11.x <= 10.11.10 Fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache reset or ...
CVE-2026-26230
- EPSS 0.16%
- Veröffentlicht 16.03.2026 20:19:51
- Zuletzt bearbeitet 18.03.2026 13:56:13
Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531
CVE-2026-2454
- EPSS 0.27%
- Veröffentlicht 16.03.2026 20:10:16
- Zuletzt bearbeitet 18.03.2026 13:56:03
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket m...
CVE-2026-26304
- EPSS 0.16%
- Veröffentlicht 16.03.2026 19:53:21
- Zuletzt bearbeitet 18.03.2026 13:56:31
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542
CVE-2026-24692
- EPSS 0.17%
- Veröffentlicht 16.03.2026 14:56:45
- Zuletzt bearbeitet 18.03.2026 13:54:50
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API reque...
CVE-2026-22545
- EPSS 0.15%
- Veröffentlicht 16.03.2026 14:54:45
- Zuletzt bearbeitet 18.03.2026 13:54:31
Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different aut...
CVE-2026-2455
- EPSS 0.17%
- Veröffentlicht 16.03.2026 14:53:31
- Zuletzt bearbeitet 18.03.2026 13:55:00
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 ...
CVE-2026-21386
- EPSS 0.18%
- Veröffentlicht 16.03.2026 14:51:43
- Zuletzt bearbeitet 18.03.2026 13:53:15
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know...