CVE-2025-13324

Low CVSS: 3.7

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

Vendor

Mattermost

Product

Mattermost Server

CWE

CWE-863

Yayın Tarihi

2025-12-17 19:16:01

Güncelleme

2025-12-29 18:46:13

Source Identifier

responsibledisclosure@mattermost.com

KEV Date Added

Kategoriler

CWE-863 Mattermost Server LOW Mattermost 2025

Referanslar

https://mattermost.com/security-updates

Benzer Kayıtlar

Medium

CVE-2026-3112

Mattermost versions 11.4.x

Medium

CVE-2026-3113

Mattermost versions 11.4.x

Medium

CVE-2026-3114

Mattermost versions 11.4.x

Medium

CVE-2026-3115

Mattermost versions 11.2.x

High

CVE-2026-3108

Mattermost versions 11.2.x

Medium

CVE-2026-4274

Mattermost versions 11.2.x