CVE-2017-18889: Mattermost Server is vulnerable to webhook and slash command manipulation

May 24, 2022 (updated December 5, 2025)

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API.

References

github.com/advisories/GHSA-jp57-4x34-5v94
github.com/mattermost/mattermost
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2017-18889

Code Behaviors & Features

Detect and mitigate CVE-2017-18889 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →