Mattermost security updates 11.4.3, 11.3.3, and 10.11.13 (ESR) released

We’re informing you about a Mattermost security update, which addresses low to medium severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 11.4.3, 11.3.3, and 10.11.13 (Extended Support Release) for both Team Edition and Enterprise Edition. They are available for download here. You can follow the standard upgrade instructions to apply the updates.

The 11.4.3 and 11.3.3 versions also include the following fixes: 

• Improved security hardening for the user authentication update API endpoint.
• Improved token handling in the guest magic link authentication flow.
• Fixed a regression where the system_admin role on new installations or after certain updates was missing the manage_oauth permission, preventing access to OAuth application management API endpoints. This change restores the permission to the default system_admin role and includes a migration to backfill it on affected existing servers.

The 10.11.13 version also includes the following fixes: 

• Improved security hardening for the user authentication update API endpoint.
• Improved token handling in the guest magic link authentication flow.
• Fixed an issue where the configuration wasn’t kept when the plugin system was re-enabled.
• Pre-packaged Calls plugin version v1.11.1.

Customer safety and data security are the utmost priorities for Mattermost. For our customers’ protection, and as outlined in our Responsible Disclosure policy, Mattermost does not disclose specifics on this vulnerability until 30 days after this announcement. After 30 days, we will publish specific details on the vulnerability on our Security Updates webpage.