PT-2025-51854 · Mattermost · Mattermost
Daw10
·
Published
2025-12-17
·
Updated
2026-01-06
·
CVE-2025-13324
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 10.11.x through 10.11.5
Mattermost versions 11.0.x through 11.0.4
Mattermost versions 10.12.x through 10.12.2
Description
The software does not invalidate invite tokens after they are used. This allows a malicious actor who has intercepted an invite token to manipulate channel memberships. Specifically, they can add or remove users from private channels by replaying the token. The attack involves the replay of invite tokens.
Recommendations
Update Mattermost to a version later than 10.11.5.
Update Mattermost to a version later than 11.0.4.
Update Mattermost to a version later than 10.12.2.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost