BookStack vs Mattermost
Side-by-side trajectory, velocity, and editorial themes.
BookStack opened a real theme extension surface, then spent six weeks patching CVEs.
BookStack shipped v26.03 in mid-March 2026 with a meaningful new theme module system and several theme events (page render, pre-save, OIDC URL customization) — the first time the project's customization surface has had real extension points rather than just template overrides. The next six weeks were almost entirely security work: four security-marked patch releases (v25.12.9, v26.03.1, v26.03.2, v26.03.4) addressing role-escalation via registration, hidden content leaking through markdown exports, style-code injection in revision diffs, and attachment/webhook URL validation gaps. Multiple researchers credited per release.
The arc is 'open up the platform, then defend it' — adding extension points was the v26.03 push, and the subsequent CVE volume reads as a coordinated audit response (often two researchers credited per advisory, suggesting public attention from pen-testers). The 25.12.x line is also still being patched in parallel, indicating the team is supporting both branches rather than forcing rapid upgrades.
Expect another v26.03.x patch release if the audit cycle isn't complete, then a return to feature work — likely more theme-event coverage and exposing more lifecycle hooks to match what the new module system can attach to. The dual-branch maintenance pattern probably continues until v25.12 hits its support cutoff.
v11.7 ships rearchitected AI agents and granular ABAC as Mattermost leans hard into regulated buyers.
Mattermost is now openly positioning as a collaboration platform for defense, intelligence, and critical infrastructure rather than a general-purpose team-chat alternative. The v11.7 release pairs Attribute-Based Access Control for Team Admins with a rearchitected Agents v2.0 layer that supports custom AI prompts and user-created agents, signaling that the AI roadmap will run on top of strict access governance rather than alongside it. Editorial output in May is overwhelmingly about sovereignty, coalition operations, and AI governance — the company is telling regulated buyers what to ask vendors during procurement.
The product is bifurcating from horizontal team chat into a sovereignty-and-governance-first platform aimed at procurement evaluations in defense and regulated finance. Each major release now ships more granular control surfaces (ABAC, coordinated ESR security cadence) underneath user-facing features (AI agents, custom prompts), which is consistent with a market where features only matter if they can pass a compliance review. Expect future releases to keep coupling AI capability to governance primitives rather than shipping AI features on their own.
The next minor release likely extends ABAC scope beyond Team Admins (channel-level or integration-level enforcement) and tightens the audit trail around user-created agents, since both are the natural follow-ons for a customer base that procures on control granularity. A coalition or cross-domain feature announcement is also plausible given how heavily April-May messaging leaned on multi-nation operational use cases.
See more alternatives to BookStack →
See more alternatives to Mattermost →