Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored https://mattermost.com/security-updates
Created purple-mattermost tracking bugs for this issue: Affects: epel-all [bug 2277328] Affects: fedora-all [bug 2277329]