PT-2025-42445 · Mattermost · Mattermost

Doyensec

Published

2025-10-16

Updated

2025-11-07

CVE-2025-58073

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.10 Mattermost versions 10.10.x through 10.10.2 Mattermost versions 10.11.x through 10.11.1

Description The Mattermost software has an issue where user permissions are not properly verified when joining a team using an invite token. This is due to manipulation of the OAuth state parameter. An attacker can bypass team membership restrictions and join any team on a Mattermost server without authorization.

Recommendations Update Mattermost versions to a version later than 10.5.10 Update Mattermost versions to a version later than 10.10.2 Update Mattermost versions to a version later than 10.11.1

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BDU:2025-13336

CVE-2025-58073

GHSA-6Q7M-P8CC-998R

GO-2025-4032

OPENSUSE-SU-2025:15710-1

Affected Products

Mattermost

PT-2025-42445 · Mattermost · Mattermost

CVE-2025-58073

Weakness Enumeration

Related Identifiers

Affected Products

References · 91