PT-2025-42446 · Mattermost · Mattermost

Doyensec

Published

2025-10-16

Updated

2025-11-07

CVE-2025-58075

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.10 Mattermost versions 10.10.x through 10.10.2 Mattermost versions 10.11.x through 10.11.1

Description A flaw exists in Mattermost where the system does not properly verify a user’s permission to join a team using an invite token. This allows an attacker to join any team on a Mattermost server, bypassing restrictions through manipulation of the RelayState parameter. The issue involves improper validation of user permissions when joining a team via an invite token.

Recommendations Update Mattermost to a version later than 10.5.10 Update Mattermost to a version later than 10.10.2 Update Mattermost to a version later than 10.11.1

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BDU:2025-13332

CVE-2025-58075

GHSA-R6QJ-894F-5HR2

GO-2025-4035

OPENSUSE-SU-2025:15710-1

Affected Products

Mattermost

PT-2025-42446 · Mattermost · Mattermost

CVE-2025-58075

Weakness Enumeration

Related Identifiers

Affected Products

References · 91