Christopher Poile

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 11.4.0 and earlier, 11.3.1 and earlier, 11.2.3 and earlier, 10.11.11 and earlier **Description** The software does not properly validate user identity within the OpenID `IsSameUser()` comparison logic. This flaw, stemming from overly permissive substring matching in the user discovery flow, could allow an attacker to compromise user accounts. **Recommendations** Update Mattermost to a version later than 11.4.0. Update Mattermost to a version later than 11.3.1. Update Mattermost to a version later than 11.2.3. Update Mattermost to a version later than 10.11.11.