Nixpkgs Security Tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: mattermost-desktop

Found 22 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-21386
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 days, 18 hours ago
Private channel enumeration via /mute slash command

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-2456
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 days, 18 hours ago
Denial of Service via Unbounded Memory Allocation in Integration Actions

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an arbitrarily large response when a user clicks an interactive message button.. Mattermost Advisory ID: MMSA-2026-00571

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-24458
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 days, 18 hours ago
DoS attack via login attempts with multi-megabyte passwords

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-2476
7.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 days, 18 hours ago
MS Teams plugin sensitive config values not properly masked in support packets

Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606

References

Affected products

Mattermost
  • ==2.3.1.0
  • =<2.0.3

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-2461
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 days, 18 hours ago
Missing authorization check allows unauthorized modification of other users' comments on a board

Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559

References

Affected products

Mattermost
  • =<11.2.2
  • =<11.0.3
  • ==11.3.1
  • =<10.10.11
  • ==10.11.11
  • ==11.2.3
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-2463
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 days, 18 hours ago
Unauthorized access to invite ID during team creation

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-2454
5.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 days, 18 hours ago
DoS in Calls plugin via malformed msgpack in websocket request.

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: MMSA-2025-00537

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-2462
6.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 days, 18 hours ago
Admin RCE via Malicious Plugin Upload on CI Test Instances

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-25783
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 days, 18 hours ago
Denial of service via malformed User-Agent header in getBrowserVersion

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-26304
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 days, 18 hours ago
Permission Bypass in Playbook Run Creation

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers