Our news and updates

In Mattermost versions 11.3.x (≤ 11.3.0), 11.2.x (≤ 11.2.2), and 10.11.x (≤ 10.11.10) a medium severity vulnerability CVE-2026-4265 was detected. This vulnerability allows guest users to upload files in channels across teams where they lack permissions by reusing file metadata from authorized uploads, due to improper validation of team-specific upload_file permissions. To address this issue, users should upgrade Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-4265.

In Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, and 10.11.x <= 10.11.10 a medium severity vulnerability CVE-2026-24692 was detected. This vulnerability allows guest users without read permissions to access posts and files in channels via search API requests due to improper enforcement of read permissions. To address this issue, users should upgrade Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24692.

In Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, and 10.11.x <= 10.11.10 a high severity vulnerability CVE-2026-24458 was detected. This vulnerability allows attackers to cause denial of service (DoS) by sending login attempts with multi-megabyte passwords, leading to excessive CPU and memory usage due to improper handling of very long inputs. To address this issue, users should upgrade Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24458.

In Mattermost versions 10.11.x <= 10.11.10 a low severity vulnerability CVE-2026-22545 was detected. This vulnerability allows authenticated attackers to change an account password without confirmation by falsely claiming a different authentication provider, due to improper validation of the user’s authentication method during account auth type switching. To address this issue, users should upgrade Mattermost to versions 11.4.0 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22545.

In Mattermost versions 11.3.x <= 11.3.0 a medium severity vulnerability CVE-2026-2578 was detected. This vulnerability allows attackers to access unrevealed burn-on-read message contents via WebSocket post deletion events due to failure to preserve the redacted state during deletion. To address this issue, users should upgrade Mattermost to versions 11.4.0 or 11.3.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2578.

In Mattermost versions 11.3.x (≤ 11.3.0), 11.2.x (≤ 11.2.2), and 10.11.x (≤ 10.11.10) a medium severity vulnerability CVE-2026-26246 was detected. This vulnerability allows an authenticated attacker to cause server memory exhaustion and denial of service by uploading a specially crafted PSD file, due to improper bounds on memory allocation during image processing. To address this issue, users should upgrade Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26246.

In Mattermost versions 10.11.x (≤ 10.11.10) a medium severity vulnerability CVE-2026-26230 was detected. This vulnerability allows team administrators to improperly demote members to the guest role due to insufficient validation of permission requirements in the team member roles API endpoint. To address this issue, users should upgrade Mattermost to versions 11.4.0 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26230.

In Mattermost versions 11.3.x (≤ 11.3.0), 11.2.x (≤ 11.2.2), and 10.11.x (≤ 10.11.10) a medium severity vulnerability CVE-2026-25783 was detected. This vulnerability allows an authenticated attacker to trigger a denial of service by sending a specially crafted User-Agent header, causing a request panic due to improper validation of header tokens. To address this issue, users should upgrade Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or 10.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25783.