security team

Mattermost security updates 11.5.2, 11.4.4, and 10.11.14 (ESR) released

April 15, 2026

Releases

We’re informing you about a Mattermost security update, which addresses Low to High severity vulnerabilities. We highly recommend that you apply the update.

The security update is available for Mattermost dot releases 11.5.2, 11.4.4, and 10.11.14 (Extended Support Release) for both Team Edition and Enterprise Edition. They are available for download here. You can follow the standard upgrade instructions to apply the updates.

The 11.5.2 version also includes the following fixes: 

  • Pre-packaged Calls plugin version v1.11.4.
  • Pre-packaged Playbooks plugin version v2.8.0.
  • Pre-packaged MS Teams Meetings plugin version v2.4.1.
  • Pre-packaged GitLab plugin version v1.12.1.
  • Fixed an issue where membership changes from remote clusters could operate on a different channel than the one validated in the sync message.
  • Fixed an issue where image proxies did not detect content-types accurately in certain cases.
  • Fixed an issue with edit post permissions.
  • Fixed an issue with file attachment processing for certain archive types.
  • Fixed an issue where remote cluster invite confirmations could accept a RefreshedToken that matched the original invite token, preventing proper token rotation.
  • Fixed an issue with custom slash command response URL construction.
  • Fixed a regression where the system_admin role on new installations or after certain updates was missing the manage_oauth permission, preventing access to OAuth application management API endpoints. This change restores the permission to the default system_admin role and includes a migration to backfill it on affected existing servers.
  • Fixed an issue with bulk imports failing on PostgreSQL when channel, team, or thread membership batches exceeded the 65,535 query parameter limit by automatically chunking large INSERT statements.
  • Fixed an issue where thread context for message rewrites could be assembled without applying the same channel read validation used for other post reads.

The 11.4.4 version also includes the following fixes: 

  • Pre-packaged Calls plugin version v1.11.4.
  • Pre-packaged Playbooks plugin version v2.8.0.
  • Pre-packaged MS Teams Meetings plugin version v2.4.1.
  • Pre-packaged GitLab plugin version v1.12.1.
  • Fixed an issue where membership changes from remote clusters could operate on a different channel than the one validated in the sync message.
  • Fixed an issue where image proxies did not detect content-types accurately in certain cases.
  • Fixed an issue with edit post permissions.
  • Fixed an issue with file attachment processing for certain archive types.
  • Fixed an issue where remote cluster invite confirmations could accept a RefreshedToken that matched the original invite token, preventing proper token rotation.
  • Fixed an issue with custom slash command response URL construction.

The 10.11.14 version also includes the following fixes: 

  • Pre-packaged Calls plugin version v1.11.4.
  • Pre-packaged Playbooks plugin version v2.4.4.
  • Pre-packaged MS Teams Meetings plugin version v2.4.1.
  • Pre-packaged GitLab plugin version v1.12.1.
  • Fixed an issue where membership changes from remote clusters could operate on a different channel than the one validated in the sync message.
  • Fixed an issue where image proxies did not detect content-types accurately in certain cases.
  • Fixed an issue with edit post permissions.
  • Fixed an issue with file attachment processing for certain archive types.
  • Fixed an issue where remote cluster invite confirmations could accept a RefreshedToken that matched the original invite token, preventing proper token rotation.
  • Fixed an issue with custom slash command response URL construction.
  • Fixed typing issues in the Find Channels modal caused by interference with IMEs.

Customer safety and data security are the utmost priorities for Mattermost. For our customers’ protection, and as outlined in our Responsible Disclosure policy, Mattermost does not disclose specifics on this vulnerability until 30 days after this announcement. After 30 days, we will publish specific details on the vulnerability on our Security Updates webpage.

mm

Amy Blais is the Release Manager at Mattermost, Inc. Her other roles include Community and Customer Support. She previously served as the company’s Associate Marketing Manager.

Read More Releases Articles