websafe-kb/07-framework-security/platforms/mattermost/INDEX.md

Mattermost

LAB ONLY | AUTHORIZED TARGETS ONLY | 自动生成索引

• 系统 ID: mattermost
• 分类: platforms
• 覆盖策略: rolling-24m
• 总案例数: 40
• 近 30 天新增/更新: 28
• 重点 Markdown 案例数: 40
• 已实证(真实版本): 0
• 已实证(synthetic): 0
• 阻塞数: 0
• 待人工/缺浏览器证据: 40
• 最近渲染时间: 2026-04-02T09:18:51+00:00

目标约束

• 适用目标类型: lab-local, lab-public, authorized-third-party
• 是否允许公网验证: yes, but ownership or authorization is required
• 授权前提: 资产归属可证明，或已取得书面/明确授权。
• 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
• 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作

来源

• official Mattermost Security Updates (mode=core)
• official NVD Mattermost (keyword=Mattermost; mode=core)
• official Mattermost Security Updates JSON (mode=core)
• ecosystem-authority OSV Mattermost (mode=core)

案例列表

标题	严重度	案例状态	实证状态	实证方式	来源置信度	更新时间	案例页
Issue Identifier	severity	generated	triage-manual	synthetic	official	Fix Release Date	link
Mattermost doesn't set permissions on downloaded bulk export	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-31T23:19:38.844657Z	link
Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-31T05:32:49.079377Z	link
Mattermost doesn't rate limit login requests, allowing DoS	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-31T05:31:41.869147Z	link
Mattermost fails to validate user's authentication method when processing account auth type switch	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-23T18:56:23.696710Z	link
Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-23T18:56:08.125706Z	link
Mattermost fails to properly enforce read permissions in search API endpoints	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-23T18:55:57.125165Z	link
Mattermost fails to use consistent error responses when handling the /mute command	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-23T18:56:15.398070Z	link
Mattermost fails to validate team-specific upload_file permissions	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-23T18:56:04.837800Z	link
Mattermost fails to limit the size of responses from integration action endpoints	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-26T21:11:03.241919Z	link
Mattermost allows a removed team member to enumerate all public channels within a private team	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-23T18:56:02.455815Z	link
Mattermost fails to filter invite IDs based on user permissions	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-23T18:56:08.610141Z	link
Mattermost fails to preserve the redacted state of burn-on-read posts during deletion	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-23T18:56:01.583567Z	link
Mattermost fails to properly handle very long passwords	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-23T18:56:03.732922Z	link
Mattermost allows attackers to spoof permalink embeds	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-23T18:56:18.286997Z	link
Mattermost fails to bound memory allocation when processing DOC files	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-23T18:56:18.467718Z	link
Mattermost fails to properly validate User-Agent header tokens	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-26T21:11:24.090883Z	link
Mattermost fails to bound memory allocation when processing PSD image files	low	generated	triage-manual	synthetic	ecosystem-authority	2026-03-23T18:56:08.918090Z	link
MMSA-2026-00574	medium	generated	triage-manual	synthetic	official	2026-03-16	link
MMSA-2026-00603	low	generated	triage-manual	synthetic	official	2026-03-16	link
MMSA-2026-00624	medium	generated	triage-manual	synthetic	official	2026-03-16	link
MMSA-2026-00625	medium	generated	triage-manual	synthetic	official	2026-03-16	link
MMSA-2026-00610	low	generated	triage-manual	synthetic	official	2026-03-10	link
MMSA-2026-00611	low	generated	triage-manual	synthetic	official	2026-03-10	link
MMSA-2026-00621	high	generated	triage-manual	synthetic	official	2026-03-05	link
MMSA-2025-00562	medium	generated	triage-manual	synthetic	official	2026-02-24	link
MMSA-2026-00584	low	generated	triage-manual	synthetic	official	2026-02-24	link
MMSA-2026-00589	medium	generated	triage-manual	synthetic	official	2026-02-24	link
MMSA-2026-00593	medium	generated	triage-manual	synthetic	official	2026-02-24	link
MMSA-2026-00594	medium	generated	triage-manual	synthetic	official	2026-02-24	link
MMSA-2026-00598	medium	generated	triage-manual	synthetic	official	2026-02-24	link
MMSA-2026-00599	high	generated	triage-manual	synthetic	official	2026-02-24	link
MMSA-2025-00566	medium	generated	triage-manual	synthetic	official	2026-02-23	link
MMSA-2026-00578	medium	generated	triage-manual	synthetic	official	2026-02-23	link
MMSA-2026-00590	medium	generated	triage-manual	synthetic	official	2026-02-23	link
MMSA-2026-00595	medium	generated	triage-manual	synthetic	official	2026-02-23	link
Mattermost fails to properly validate team membership when processing channel mentions	low	generated	triage-manual	synthetic	ecosystem-authority	2026-04-01T17:34:52.830031Z	link
Mattermost fails to enforce invite permissions when updating team settings	low	generated	triage-manual	synthetic	ecosystem-authority	2026-04-01T17:35:38.201280Z	link
Mattermost fails to sanitize sensitive data in WebSocket messages	low	generated	triage-manual	synthetic	ecosystem-authority	2026-04-01T17:35:09.396122Z	link
Mattermost fails to properly validate login method restrictions	low	generated	triage-manual	synthetic	ecosystem-authority	2026-04-01T17:34:48.742132Z	link