Mattermost security updates 11.3.1, 11.2.3, and 10.11.11 (ESR) released 

February 17, 2026

Releases

We’re informing you about a Mattermost security update, which addresses low to high severity vulnerabilities. We highly recommend that you apply the update.

The security update is available for Mattermost dot releases 11.3.1, 11.2.3, and 10.11.11 (Extended Support Release) for both Team Edition and Enterprise Edition. They are available for download here. You can follow the standard upgrade instructions to apply the updates.

The 11.3.1 version also includes the following fixes: 

  • Breaking Change: Photoshop Document (PSD) files are now no longer inline previewed; they are treated as regular file attachments.
  • Pre-packaged Boards plugin version v9.2.2.
  • Pre-packaged Playbooks plugin version v2.6.2.
  • Fixed an issue with PSD file previews.
  • Added a new MM_LOG_PATH environment variable to restrict log file locations. Log files must now be within a configured root directory.
  • Fixed an issue where the /mute slash command could be used to enumerate private channels.
  • Fixed an issue where users removed from a private team could still enumerate public channels in that team via the channel search API.
  • Fixed an issue with permalink embeds arriving from websocket messages.
  • Fixed a memory allocation issue by updating mscfb and msoleps dependencies.
  • Fixed an issue with memory use during integration actions.
  • /api/v4/access_control_policies/{policy_id}/activate has been deprecated.
  • Updated the POST /api/v4/teams team creation API to omit the invite_id value in the response when the requesting user does not have permission to invite members to the new team.
  • ImportSettings.Directory can no longer be modified through the REST API. Infrastructure operators can still modify this setting via configuration file, environment variables, or mmctl in local mode.
  • Fixed a permission validation issue when attaching files to posts.

The 11.2.3 version also includes the following fixes: 

  • Breaking Change: Photoshop Document (PSD) files are now no longer inline previewed; they are treated as regular file attachments.
  • Pre-packaged Boards plugin version v9.2.2.
  • Pre-packaged Playbooks plugin version v2.6.2.
  • Fixed an issue with PSD file previews.
  • Added a new MM_LOG_PATH environment variable to restrict log file locations. Log files must now be within a configured root directory.
  • Fixed an issue where the /mute slash command could be used to enumerate private channels.
  • Fixed an issue where users removed from a private team could still enumerate public channels in that team via the channel search API.
  • Fixed an issue with permalink embeds arriving from websocket messages.
  • Fixed a memory allocation issue by updating mscfb and msoleps dependencies.
  • /api/v4/access_control_policies/{policy_id}/activate has been deprecated.
  • Fixed an issue with memory use during integration actions.
  • Updated the POST /api/v4/teams team creation API to omit the invite_id value in the response when the requesting user does not have permission to invite members to the new team.
  • ImportSettings.Directory can no longer be modified through the REST API. Infrastructure operators can still modify this setting via configuration file, environment variables, or mmctl in local mode.
  • Fixed a permission validation issue when attaching files to posts.

The 10.11.11 version also includes the following fixes: 

  • Breaking Change: Photoshop Document (PSD) files are now no longer inline previewed; they are treated as regular file attachments.
  • Pre-packaged Boards plugin version v9.2.2.
  • Fixed a performance regression that caused the requests to populate the **Recent mentions** right-hand side (RHS) to timeout. This, in turn, re-introduces a known bug in searches with quoted strings, that may include results not exactly matching the quoted string.
  • Fixed an issue where the channel URL got updated when the channel display name was changed.
  • Added audit logs for when admins access posts on channels they are not a member of.
  • Fixed an issue with PSD file previews.
  • Added a new MM_LOG_PATH environment variable to restrict log file locations. Log files must now be within a configured root directory.
  • Fixed an issue where the /mute slash command could be used to enumerate private channels.
  • Fixed an issue with permalink preview information after losing channel or team permissions.
  • User’s actual authentication method is now validated before processing authentication type switch.
  • Fixed an issue where users removed from a private team could still enumerate public channels in that team via the channel search API.
  • Fixed an issue with permalink embeds arriving from websocket messages.
  • Fixed a memory allocation issue by updating mscfb and msoleps dependencies.
  • /api/v4/access_control_policies/{policy_id}/activate has been deprecated.
  • Fixed an issue with memory use during integration actions.
  • Updated the POST /api/v4/teams team creation API to omit the invite_id value in the response when the requesting user does not have permission to invite members to the new team.
  • ImportSettings.Directory can no longer be modified through the REST API. Infrastructure operators can still modify this setting via configuration file, environment variables, or mmctl in local mode.
  • Fixed a permission validation issue when attaching files to posts.

Customer safety and data security are the utmost priorities for Mattermost. For our customers’ protection, and as outlined in our Responsible Disclosure policy, Mattermost does not disclose specifics on this vulnerability until 30 days after this announcement. After 30 days, we will publish specific details on the vulnerability on our Security Updates webpage.

mm

Amy Blais is the Release Manager at Mattermost, Inc. Her other roles include Community and Customer Support. She previously served as the company’s Associate Marketing Manager.

Read More Releases Articles