PT-2026-33054 · Mattermost · Mattermost

Published

2026-04-15

Updated

2026-04-17

CVE-2026-3590

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.0 through 10.11.12 Mattermost version 11.5.0 Mattermost versions 11.4.0 through 11.4.2 Mattermost versions 11.3.0 through 11.3.2

Description Failure to enforce atomic single-use consumption of guest magic link tokens allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions by sending concurrent requests.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-367

Related Identifiers

BDU:2026-05568

CVE-2026-3590

GHSA-MH4X-RMRX-3HP4

Affected Products

Mattermost

PT-2026-33054 · Mattermost · Mattermost

CVE-2026-3590

Weakness Enumeration

Related Identifiers

Affected Products

References · 8