Nixpkgs Security Tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: mattermost

Found 8 matching suggestions

Published
Permalink CVE-2026-20796
updated 4 days, 1 hour ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse removed
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    6 days, 8 hours ago
  • @LeSuisse removed
    5 maintainers
    • @fsagbuya
    • @Kranzes
    • @numinit
    • @mgdelacroix
    • @ryantm
    4 days, 1 hour ago
  • @LeSuisse accepted 4 days, 1 hour ago
  • @LeSuisse published on GitHub 4 days, 1 hour ago
Time-of-check time-of-use vulnerability in common teams API

Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549

Affected products

Mattermost
  • =<10.11.9
  • ==11.3.0
  • ==10.11.10

Matching in nixpkgs

Package maintainers

Ignored maintainers (5) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561
Published
Permalink CVE-2025-13821
updated 4 days, 1 hour ago by @LeSuisse Activity log
  • Created automatic suggestion 4 days, 17 hours ago
  • @LeSuisse removed
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    4 days, 3 hours ago
  • @LeSuisse removed
    5 maintainers
    • @fsagbuya
    • @Kranzes
    • @numinit
    • @mgdelacroix
    • @ryantm
    4 days, 1 hour ago
  • @LeSuisse accepted 4 days, 1 hour ago
  • @LeSuisse published on GitHub 4 days, 1 hour ago
User profile update exposes password hash and MFA secrets

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

Affected products

Mattermost
  • =<10.11.9
  • ==11.3.0
  • ==11.1.3
  • =<11.1.2
  • ==11.2.2
  • =<11.2.1
  • ==10.11.10

Matching in nixpkgs

Package maintainers

Ignored maintainers (5) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561
Published
Permalink CVE-2025-14573
updated 4 days, 1 hour ago by @LeSuisse Activity log
  • Created automatic suggestion 4 days, 17 hours ago
  • @LeSuisse removed
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    4 days, 3 hours ago
  • @LeSuisse removed
    5 maintainers
    • @fsagbuya
    • @Kranzes
    • @numinit
    • @mgdelacroix
    • @ryantm
    4 days, 1 hour ago
  • @LeSuisse accepted 4 days, 1 hour ago
  • @LeSuisse published on GitHub 4 days, 1 hour ago
Team Admin Bypass of Invite Permissions via allow_open_invite Field

Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

Affected products

Mattermost
  • =<10.11.9
  • ==11.3.0
  • ==10.11.10

Matching in nixpkgs

Package maintainers

Ignored maintainers (5) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561
Published
Permalink CVE-2026-1046
updated 4 days, 1 hour ago by @LeSuisse Activity log
  • Created automatic suggestion 4 days, 17 hours ago
  • @LeSuisse removed
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    4 days, 3 hours ago
  • @LeSuisse removed
    5 maintainers
    • @fsagbuya
    • @Kranzes
    • @numinit
    • @mgdelacroix
    • @ryantm
    4 days, 1 hour ago
  • @LeSuisse accepted 4 days, 1 hour ago
  • @LeSuisse published on GitHub 4 days, 1 hour ago
Arbitrary application execution via unvalidated server-controlled URLs in Help menu

Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577

Affected products

Mattermost
  • =<5.2.13
  • ==6.1.0
  • ==5.13.3.0
  • ==6.0.3.0
  • =<6.2.0

Matching in nixpkgs

Package maintainers

Ignored maintainers (5) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561
Published
Permalink CVE-2025-14350
updated 4 days, 1 hour ago by @LeSuisse Activity log
  • Created automatic suggestion 4 days, 14 hours ago
  • @LeSuisse removed
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    4 days, 1 hour ago
  • @LeSuisse removed
    5 maintainers
    • @fsagbuya
    • @Kranzes
    • @numinit
    • @mgdelacroix
    • @ryantm
    4 days, 1 hour ago
  • @LeSuisse accepted 4 days, 1 hour ago
  • @LeSuisse published on GitHub 4 days, 1 hour ago
Information disclosure via channel mentions in posts

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563

Affected products

Mattermost
  • =<10.11.9
  • ==11.3.0
  • ==11.1.3
  • =<11.1.2
  • ==11.2.2
  • =<11.2.1
  • ==10.11.10

Matching in nixpkgs

Package maintainers

Ignored maintainers (5) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561
Published
Permalink CVE-2026-0999
updated 4 days, 1 hour ago by @LeSuisse Activity log
  • Created automatic suggestion 4 days, 11 hours ago
  • @LeSuisse removed
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    4 days, 3 hours ago
  • @LeSuisse removed
    5 maintainers
    • @ryantm
    • @mgdelacroix
    • @numinit
    • @Kranzes
    • @fsagbuya
    4 days, 1 hour ago
  • @LeSuisse accepted 4 days, 1 hour ago
  • @LeSuisse published on GitHub 4 days, 1 hour ago
Authentication bypass via userID login when email and username login are disabled

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548

Affected products

Mattermost
  • =<10.11.9
  • ==11.3.0
  • ==11.1.3
  • =<11.1.2
  • ==11.2.2
  • =<11.2.1
  • ==10.11.10

Matching in nixpkgs

Package maintainers

Ignored maintainers (5) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561
Dismissed
Permalink CVE-2025-14822
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month ago
  • @LeSuisse removed
    3 packages
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • mattermost-desktop
    1 month ago
  • @LeSuisse dismissed 1 month ago
DoS from quadratic complexity in model.ParseHashtags

Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens

Affected products

Mattermost
  • ==10.11.9
  • ==11.2.0
  • =<10.11.8

Matching in nixpkgs

pkgs.mattermost

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Already fixed in unstable and stable branches.
Dismissed
Permalink CVE-2025-14435
updated 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month ago
  • @LeSuisse removed
    5 packages
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • mattermost-desktop
    • mattermostLatest
    • mattermost
    1 month ago
  • @LeSuisse added
    2 packages
    • mattermostLatest
    • mattermost
    1 month ago
  • @LeSuisse dismissed 1 month ago
Application-Level DoS via infinite re-render loop in user profile handling

Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.

Affected products

Mattermost
  • ==11.0.7
  • =<11.0.6
  • ==11.2.0
  • =<10.11.8
  • ==10.11.9
  • =<11.1.1
  • ==11.1.2

Matching in nixpkgs

pkgs.mattermost

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

pkgs.mattermostLatest

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

Package maintainers

Already fixed in unstable and stable branches.