Mattermost Security Updates

To report security issues please see the Mattermost Responsible Disclosure Policy. To sign up for notifications when a security fix is released, please join our Security Bulletin mailing list.

Mattermost software undergoes security review and penetration testing by organizations preparing for deployment, by leaders in the global security research community, and through internal review and testing.

Feedback is responsibly shared to the product team in order to offer security updates to the Mattermost community prior to publicly disclosing issues on the Mattermost Security Updates page.

Note: To increase the safety of Mattermost users, specific details on security updates in Mattermost releases are announced 14 days after the availability of the update. We have a mandatory upgrade policy and only provide updates for the latest release.

See security updates for:

Mattermost Server

Please see the Mattermost Upgrade Guide for step-by-step instructions on how to update to the latest release.

Security Updates by Release

Mattermost v3.6.2 (Released 2017-01-31)

  • Security Update #3.6.2.1
    • (Preventing Cross-Site Scripting) Updated the server to honor cross-origin settings for websocket connections. Thanks to Alex Garbutt for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.5.2 and v3.6.0 (Released 2017-01-16)

  • Security Update #3.6.0.1
    • (Preventing Cross-Site Scripting) Updated client to prevent links on error page from executing code. Thanks to Julien Ahrens for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.5.1 (Released 2016-11-23)

  • Security Update #3.5.1.1
    • (Reducing Attack Surface) Fixed a vulnerability where a user can by-pass email verification without needing to receive the email. Thanks to Alyssa Milburn for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.5.1.2
    • (Preventing Cross-Site Scripting and Remote Code Execution) Updated client to prevent certain code files from being executed in the browser window when opened in a file preview. Thanks to Harrison Healey for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.3.0 (Released 2016-08-16)

  • Security Update #3.3.0.1
    • (Preventing Message Spoofing) Fixed a vulnerability where a logged in user could use WebSockets to show pop-ups containing messages to users in place of desktop notifications, and also locally modify the appearance of posts. Thanks to Bastian Ike for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.2.0 (Released 2016-07-16)

  • Security Update #3.2.0.1
    • (Reducing Information Disclosure) Removed unused personal information from being returned in initial_load API. Thanks to Christer Mjellem Strand and Jonas Arneberg for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.2.0.2
    • (Protecting Against Denial of Service VulnerabilityFixed functionality that caused certain posts to freeze a reader’s browser.  Thanks to Mohammad Razavi and Steve MacQuiddy for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.2.0.3
    • (Reducing Information Disclosure) Fixed an injection vulnerability that could cause certain LDAP fields to be disclosed. Thanks to Bastian Ike for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.2.0.4
    • (Reducing Attack Surface) Added protection against brute forcing a password change. Thanks to Ashish Pathak for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.1.0 (Released 2016-06-16)

  • Security Update #3.1.0.1
    • (Preventing Cross-Site Scripting) Updated server to prevent user from inadvertently including malicious content in theme color code values to execute Javascript code under the user’s credentials. Thanks to Uchida Taishi for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.1.0.2
    • (Reducing Attack Surface) Added rel=’noreferrer noopener’ to all links using target=’_blank’ to reduce potential for cross-site scripting attack.

Mattermost v3.0.2 (Released 2016-05-17)

  • Security Update #3.0.2.1
    • (Reducing Information Disclosure) Remove redundancy of Session ID and Session Token. Session Token limited to allowing login and Session ID limited to revoking sessions. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v3.0.0  (Released 2016-05-16)

  • Security Update #3.0.0.1
    • (Preventing Cross-Site Scripting) Sanitized hyperlink values specified by System Administrator in Legal and Support Settings to prevent cross-site scripting attack. Thanks to Uchida Taishi for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.2
    • (Reducing Attack Surface) Limit system to one valid password reset link per user at a time to replace previous system which allowed reuse of password reset links. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.3
    • (Reducing Information Disclosure) Deprecated API previously used by unauthenticated accounts to retrieve data on teams available on the server in order to find team URLs needed for login. This functionality is no longer needed in Mattermost 3.0 where users login by server, rather than by team. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.4
    • (Reducing Attack Surface) SSL flag functionality added to SSL cookie placed on computer by Mattermost server under SSL connection, requiring SSL connection before the cookie’s information can be disclosed. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.5
    • (Reducing Attack Surface) Removed unnecessary APIs for System Admin to change username and email address of LDAP users. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.6
    • (Reducing Information Disclosure) Removed the ability for System Console UI to load credential fields stored in `config.json` in order to reduce information disclosure. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.7
    • (Preventing Cross-Site Scripting) Removed ability to use Mattermost redirect URL to run Javascript. Thanks to Yoni Ramon from Tesla security team for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #3.0.0.8
    • (Reducing Attack Surface) Removed unused export APIs to reduce the number of ways a Team Administrator could access account information. Thanks to Andreas Lindh for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v2.2.0 (Released 2016-04-16)

  • Security Update #2.2.0.1
    • Updated server to prevent misuse of user authority from information stored in a user’s browser. Thanks to Jim Hebert of Fitbit Security for contributing to this improvement under the Mattermost responsible disclosure policy
  • Security Update #2.2.0.2
    • (Preventing Cross-Site Scripting) Updated server to prevent malicious content from potentially executing a script under the credentials of a user who clicks a specially crafted link. Thanks to Uchida Ta for contributing to this improvement under the Mattermost responsible disclosure policy.
  • Security Update #2.2.0.3
    • (Preventing Cross-Site Scripting and Remote Code Execution) Updated server to prevent files from being automatically opened in a browser window, which could be used to attack the system in multiple ways, including being used against the Mattermost desktop application to run programs on an end user’s computer. Thanks to Andreas Lindh contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v2.1.0 (Released 2016-03-16)

  • Security Update #2.1.0.1
    • (Preventing Cross-Site Request Forgery) Updated server to prevent malicious content from potentially executing a script under the credentials of a user who clicks a specially crafted link. Thanks to Luke Arntson for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost v1.2.0 (Released 2015-11-16)

  • Security Update #1.2.0.1
    • (Protecting Against Denial of Service Vulnerability) Added file upload restrictions to prevent decompression of very large images from eating up very large portions of server memory after upload. Thanks to Paddy Steed for contributing to this improvement under the Mattermost responsible disclosure policy.

Mattermost Desktop App

Please download the latest release from Mattermost App Downloads page and see the Desktop Installation Guides for Windows, Mac and Linux.

Security Updates by Release

Mattermost Desktop v3.4.0 (Released 2016-09-22)

  • Security Update #3.4.0.1 
    • (Reducing Attack Surface) Added protection against code injection vulnerabilities by overriding and disabling an eval function that allowed strings to be executed as code. Thanks to Kolja Lampe for contributing to this improvement under the Mattermost responsible disclosure policy.