CVE-2017-18884: Mattermost Server exposes OAuth personal access tokens to attackers

May 24, 2022 (updated December 5, 2025)

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.

References

github.com/advisories/GHSA-876j-jfqf-m7j7
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2017-18884

Code Behaviors & Features

Detect and mitigate CVE-2017-18884 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →