Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
3 vulnerabilities found for Mattermost Plugins by Mattermost
CERTFR-2026-AVI-0173
Vulnerability from certfr_avis - Published: 2026-02-16 - Updated: 2026-03-17
De multiples vulnérabilités ont été découvertes dans les produits Mattermost. Elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Mattermost | Mattermost Plugins | Mattermost Plugins versions 2.x antérieures à 2.3.1.0 | ||
| Mattermost | Mattermost Desktop App | Mattermost Desktop App versions antérieures à 5.13.4.0 | ||
| Mattermost | Mattermost Plugins | Mattermost Plugins versions 10.x antérieures à 10.11.11 | ||
| Mattermost | Mattermost Server | Mattermost Server versions 11.3.x antérieures à 11.3.1 | ||
| Mattermost | Mattermost Server | Mattermost Server versions 11.2.x antérieures à 11.2.3 | ||
| Mattermost | Mattermost Server | Mattermost Server versions 10.11.x antérieures à 10.11.11 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Mattermost Plugins versions 2.x ant\u00e9rieures \u00e0 2.3.1.0",
"product": {
"name": "Mattermost Plugins",
"vendor": {
"name": "Mattermost",
"scada": false
}
}
},
{
"description": "Mattermost Desktop App versions ant\u00e9rieures \u00e0 5.13.4.0",
"product": {
"name": "Mattermost Desktop App",
"vendor": {
"name": "Mattermost",
"scada": false
}
}
},
{
"description": "Mattermost Plugins versions 10.x ant\u00e9rieures \u00e0 10.11.11",
"product": {
"name": "Mattermost Plugins",
"vendor": {
"name": "Mattermost",
"scada": false
}
}
},
{
"description": "Mattermost Server versions 11.3.x ant\u00e9rieures \u00e0 11.3.1",
"product": {
"name": "Mattermost Server",
"vendor": {
"name": "Mattermost",
"scada": false
}
}
},
{
"description": "Mattermost Server versions 11.2.x ant\u00e9rieures \u00e0 11.2.3",
"product": {
"name": "Mattermost Server",
"vendor": {
"name": "Mattermost",
"scada": false
}
}
},
{
"description": "Mattermost Server versions 10.11.x ant\u00e9rieures \u00e0 10.11.11",
"product": {
"name": "Mattermost Server",
"vendor": {
"name": "Mattermost",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-25783",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25783"
},
{
"name": "CVE-2026-26246",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26246"
},
{
"name": "CVE-2026-2456",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2456"
},
{
"name": "CVE-2026-2463",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2463"
},
{
"name": "CVE-2026-2462",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2462"
},
{
"name": "CVE-2026-24458",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24458"
},
{
"name": "CVE-2026-2457",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2457"
},
{
"name": "CVE-2026-2458",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2458"
}
],
"initial_release_date": "2026-02-16T00:00:00",
"last_revision_date": "2026-03-17T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0173",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-02-16T00:00:00.000000"
},
{
"description": "Ajout de multiples identifiants et modification des risques.",
"revision_date": "2026-03-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Mattermost. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Mattermost",
"vendor_advisories": [
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00528",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00542",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00537",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00569",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00588",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00531",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00587",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00581",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00572",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00586",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00571",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00554",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00565",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00596",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00583",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2025-00568",
"url": "https://mattermost.com/security-updates/"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mattermost MMSA-2026-00585",
"url": "https://mattermost.com/security-updates/"
}
]
}
CVE-2023-3613 (GCVE-0-2023-3613)
Vulnerability from nvd – Published: 2023-07-17 15:31 – Updated: 2024-10-21 19:39
VLAI?
Title
Guest accounts invited and added to channels by Welcomebot plugin
Summary
Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost Plugins |
Affected:
0 , ≤ 7.8.5
(semver)
Affected: 0 , ≤ 7.10.2 (semver) Unaffected: 7.8.6 Unaffected: 7.10.3 |
Credits
Jason Frerich
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.920Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3613",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:38:31.157096Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:39:44.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Mattermost Plugins",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.6"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jason Frerich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing\u0026nbsp;guest accounts to be added or invited to channels by default. \u003c/p\u003e"
}
],
"value": "Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing\u00a0guest accounts to be added or invited to channels by default. \n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:31:23.674Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 7.8.6,\u0026nbsp;7.10.3 or higher. Alternatively, update the WelcomeBot plugin to version 1.3.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 7.8.6,\u00a07.10.3 or higher. Alternatively, update the WelcomeBot plugin to version 1.3.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00186",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52564"
],
"discovery": "EXTERNAL"
},
"title": "Guest accounts invited and added to channels by Welcomebot plugin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3613",
"datePublished": "2023-07-17T15:31:23.674Z",
"dateReserved": "2023-07-11T08:28:36.132Z",
"dateUpdated": "2024-10-21T19:39:44.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3613 (GCVE-0-2023-3613)
Vulnerability from cvelistv5 – Published: 2023-07-17 15:31 – Updated: 2024-10-21 19:39
VLAI?
Title
Guest accounts invited and added to channels by Welcomebot plugin
Summary
Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mattermost | Mattermost Plugins |
Affected:
0 , ≤ 7.8.5
(semver)
Affected: 0 , ≤ 7.10.2 (semver) Unaffected: 7.8.6 Unaffected: 7.10.3 |
Credits
Jason Frerich
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:56.920Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mattermost.com/security-updates"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3613",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T19:38:31.157096Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T19:39:44.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Mattermost Plugins",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "7.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.8.6"
},
{
"status": "unaffected",
"version": "7.10.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jason Frerich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing\u0026nbsp;guest accounts to be added or invited to channels by default. \u003c/p\u003e"
}
],
"value": "Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing\u00a0guest accounts to be added or invited to channels by default. \n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T15:31:23.674Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 7.8.6,\u0026nbsp;7.10.3 or higher. Alternatively, update the WelcomeBot plugin to version 1.3.0 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 7.8.6,\u00a07.10.3 or higher. Alternatively, update the WelcomeBot plugin to version 1.3.0 or higher.\n\n"
}
],
"source": {
"advisory": "MMSA-2023-00186",
"defect": [
"https://mattermost.atlassian.net/browse/MM-52564"
],
"discovery": "EXTERNAL"
},
"title": "Guest accounts invited and added to channels by Welcomebot plugin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2023-3613",
"datePublished": "2023-07-17T15:31:23.674Z",
"dateReserved": "2023-07-11T08:28:36.132Z",
"dateUpdated": "2024-10-21T19:39:44.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}