Winfunc

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 11.6.x through 11.6.1 Mattermost versions 11.5.x through 11.5.4 Mattermost versions 10.11.x through 10.11.15 **Description** Insufficient sanitization of the Remote Cluster API response during PATCH operations allows authenticated users possessing the `manage secure connections` permission to obtain remote cluster authentication tokens. This occurs when a PATCH request is sent to the remote cluster endpoint. **Recommendations** Update versions 11.6.x through 11.6.1 to a newer version. Update versions 11.5.x through 11.5.4 to a newer version. Update versions 10.11.x through 10.11.15 to a newer version.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions prior to 11.6.2 Mattermost versions prior to 11.5.5 Mattermost versions prior to 10.11.17 **Description** Insufficient role-management authorization occurs when setting the `scheme admin` flag on group syncable link and patch endpoints. This allows a user with group-link permissions to escalate their own privileges and those of group members to team or channel administrator through crafted API requests. **Recommendations** Update to version 11.6.2 or later. Update to version 11.5.5 or later. Update to version 10.11.17 or later.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.x through 10.11.11 Mattermost versions 11.2.x through 11.2.3 Mattermost versions 11.3.x through 11.3.1 Mattermost versions 11.4.x through 11.4.0 **Description** The software fails to properly set permissions on downloaded bulk exports. This allows other local users on the server to read the contents of the exported data. **Recommendations** Update Mattermost versions prior to 10.11.12. Update Mattermost versions prior to 11.2.4. Update Mattermost versions prior to 11.3.2. Update Mattermost versions prior to 11.4.1.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.x through 10.11.10 Mattermost versions 11.2.x through 11.2.2 Mattermost versions 11.3.x through 11.3.1 Mattermost versions 11.4.x through 11.4.0 **Description** The software does not properly sanitize user-controlled post content in the terminal output of `mmctl` commands. This allows attackers to manipulate administrator terminals through crafted messages containing ANSI and OSC escape sequences. These sequences can enable screen manipulation, display fake prompts, and hijack the clipboard. The Mattermost Advisory ID for this issue is MMSA-2026-00599. **Recommendations** Update Mattermost to a version beyond 10.11.10. Update Mattermost to a version beyond 11.2.2. Update Mattermost to a version beyond 11.3.1. Update Mattermost to a version beyond 11.4.0.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.x through 10.11.11 Mattermost versions 11.2.x through 11.2.3 Mattermost versions 11.3.x through 11.3.1 Mattermost versions 11.4.x through 11.4.0 **Description** The software does not properly validate the size of decompressed archive entries when extracting files. This allows authenticated users who have file upload permissions to cause a denial of service by uploading specially crafted zip archives. These archives contain highly compressed entries, known as zip bombs, which can exhaust server memory. **Recommendations** Update Mattermost to a version later than 10.11.11. Update Mattermost to a version later than 11.2.3. Update Mattermost to a version later than 11.3.1. Update Mattermost to a version later than 11.4.0.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.x through 10.11.10 Mattermost versions 11.2.x through 11.2.2 Mattermost versions 11.3.x through 11.3.1 Mattermost versions 11.4.x through 11.4.0 **Description** The application fails to enforce view restrictions when retrieving group member IDs. This allows authenticated guest users to enumerate user IDs outside of their permitted visibility scope through the group retrieval **API endpoint**. The `group retrieval` endpoint allows unauthorized access to user IDs. **Recommendations** Mattermost versions 10.11.x through 10.11.10 should be updated. Mattermost versions 11.2.x through 11.2.2 should be updated. Mattermost versions 11.3.x through 11.3.1 should be updated. Mattermost versions 11.4.x through 11.4.0 should be updated.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.x through 10.11.10 Mattermost versions 11.2.x through 11.2.2 Mattermost versions 11.3.x through 11.3.0 **Description** The software does not properly validate User-Agent header tokens. This allows an authenticated attacker to cause a request panic by using a specially crafted User-Agent header. The `User-Agent` header is the target of this issue. **Recommendations** Update Mattermost to a version later than 10.11.10. Update Mattermost to a version later than 11.2.2. Update Mattermost to a version later than 11.3.0.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.x through 10.11.10 Mattermost versions 11.2.x through 11.2.2 Mattermost versions 11.3.x through 11.3.0 **Description** The software does not properly normalize IPv4-mapped IPv6 addresses before validating reserved IP addresses. This allows an attacker to perform Server-Side Request Forgery (SSRF) attacks against internal services using IPv4-mapped IPv6 literals, such as `[::ffff:127.0.0.1]`. SSRF is a web security flaw that allows an attacker to cause the server to make HTTP requests to an arbitrary domain of the attacker's choosing. **Recommendations** Update Mattermost to a version beyond 10.11.10. Update Mattermost to a version beyond 11.2.2. Update Mattermost to a version beyond 11.3.0.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 11.3.0 and earlier Mattermost versions 11.2.2 and earlier Mattermost versions 10.11.10 and earlier **Description** The software does not correctly manage very long passwords. This allows an attacker to exhaust server resources, specifically CPU and memory, by repeatedly attempting to log in with excessively large passwords. The issue is present in the `github.com/mattermost/mattermost-server` module prior to version `v5.3.2-0.20260129164748-7201f42d955f`. **Recommendations** Update Mattermost to a version later than 11.3.0. Update Mattermost to a version later than 11.2.2. Update Mattermost to a version later than 10.11.10. Update the `github.com/mattermost/mattermost-server` module to version `v5.3.2-0.20260129164748-7201f42d955f` or later.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.0 through 10.11.10 Mattermost versions 11.2.0 through 11.2.2 Mattermost versions 11.3.0 **Description** Mattermost does not consistently handle error responses when processing the `/mute` command. This allows an authenticated team member to identify private channels they are not authorized to access by observing differing error messages for nonexistent versus private channels. The issue occurs due to inconsistent error messaging when attempting to mute a user in a channel they are not a member of. **Recommendations** Mattermost versions 10.11.0 through 10.11.10 should be updated. Mattermost versions 11.2.0 through 11.2.2 should be updated. Mattermost version 11.3.0 should be updated.